I want to use the new SSH certificate configuration referenced here: VyOS Task T6013. There’s an MR here: vyos-1x pull request #4234 and another one for the documentation.
From what I understand, the procedure is as follows:
Add a certificate authority using the PKI module:
set pki ca <ca_name> certificate
Reference the CA in the SSH service:
set service ssh trusted-user-ca-key ca-certificate <ca_name>
The issue I face is that my SSH CA public key is in the .pub format, which is the standard for SSH, rather than .pem, as required by VyOS PKI.
For additional context, I use Vault’s SSH secret engine for fully automated credential management.
Could someone help me with this or let me know if I missed anything?
Thank you!
The format I have is in the standard OpenSSH format, which typically starts with the key type (e.g., ssh-rsa), followed by the base64-encoded key and an optional comment. This is the same format used in the authorized_keys file.
Example:
ssh-rsa AAAAB3...
I’ve always used this format for the TrustedUserCAKeys directive in sshd_config. As far as I know, this is the standard format, while the PEM format is more commonly used for TLS and mTLS.
I also attempted to convert the OpenSSH format to PEM. The generated file contained the -----BEGIN [something]----- header. I used the following command to strip the header and footer:
tail -n +2 ca.pem | head -n -1 | tr -d '\n'
I then added the output to the PKI, but it still didn’t work.
Here’s the error I encountered:
[pki]
Invalid certificate on CA certificate "vault"
[[pki]] failed
[service ssh]
Traceback (most recent call last):
File "/usr/libexec/vyos/services/vyos-configd", line 138, in run_script
script.generate(c)
File "/usr/libexec/vyos//conf_mode/service_ssh.py", line 133, in generate
ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 451, in find_chain
parent = find_parent(chain[-1], remaining)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 442, in find_parent
if verify_certificate(cert, ca_cert):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 363, in verify_certificate
if ca_cert.subject != cert.issuer:
^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'subject'
[[service ssh]] failed
Commit failed
Do I need to make any changes? Any advice would be greatly appreciated.
No, it isn’t. What I’m trying to use is the TrustedUserCAKeys option in sshd: sshd_config - TrustedUserCAKeys. This feature was recently added to VyOS. You can refer to my initial response for more details.