-
-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for using CA certs for upstream ssh connection #210
Conversation
any different from |
Yes, this is adding support for ssh connections using signed CA certs documented here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys |
Another way to look at it is this is the equivalent of doing this in your ssh config:
|
merge to UpstreamPrivateKeyAuth? |
Something like this?
|
yup but i still did not understand the purpose of this seems it just check if cert match the publickey of signer? |
We can't just use the private key, because the upstream server does not have the matching public key to that private key. Instead it only had the public CA cert.
Yes it does check if the cert matches the publickey of signer, but it also "returns a Signer that signs with the given Certificate, whose private key is held by signer." This is the the part we need so that we can connect to the server with the signed CA public key. Tomorrow I am going to work on building an e2e test for this and the suggestion you made for making the CA public cert an optional field to CreatePrivateKeyAuth. Hopefully with a working e2e test it will make more sense. Thanks for your help so far, really appreciated! |
Thanks |
@tg123 I made the change to do it as an optional variable on CreatePrivateKeyAuth. Looking for some early feedback on that while I figure out the e2e tests. |
Thanks this approach look good to me |
@tg123 This is now ready for review. I added your suggested error checking and an e2e test for it. |
the log is too big,
|
Hmm, looks like the GitHub actions test runner could not find
Any ideas why that wouldn't be working on GitHub Actions? |
you mean here
seems it is |
Yes, that command should create
See it created the ssh_host_ed25519_key-cert.pub file in that docker. Can you try it on your local machine? |
seems github merge master before running e2e
recent snap change make server key gen self-contained without using ssh-keygen |
tested your branch GOOD tested your branch merge with master BAD |
@tg123 My bad I didn't merge with master locally. It should be fixed now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for sending the missing feature
@@ -0,0 +1,61 @@ | |||
//go:build full || e2e | |||
|
|||
package main |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any plan to support it in some other plugin?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did it this way because I was just trying to quickly get an e2e test working rather than building a fully working plugin. This should also provide working example code for anyone that would need to get started with this new feature. The plugin that is being working on by us is pretty specific and closed source. If there is any other parts that can be made open source, I will be sure to make another pull request.
let me know when you are ready to merge |
Okay fixed your last comment, ready to be merged whenever. Thanks again for all your help! |
Opening this draft as a proposed solution to #204.
This can be used with the following example:
I may have done the
protoc
part wrong, I was having trouble getting it to exactly match your output and could not find any specific info in your docs. Looking to get feedback if this is a good solution and if it can be added to sshpiper. Thanks!