SSH Certificate configuration: Trustedusercakeys

Tarik · February 2, 2025, 3:48pm

Hello,

I want to use the new SSH certificate configuration referenced here: VyOS Task T6013. There’s an MR here: vyos-1x pull request #4234 and another one for the documentation.

From what I understand, the procedure is as follows:

Add a certificate authority using the PKI module:
```
set pki ca <ca_name> certificate  
```

Reference the CA in the SSH service:

set service ssh trusted-user-ca-key ca-certificate <ca_name>

The issue I face is that my SSH CA public key is in the .pub format, which is the standard for SSH, rather than .pem, as required by VyOS PKI.

For additional context, I use Vault’s SSH secret engine for fully automated credential management.

Could someone help me with this or let me know if I missed anything?
Thank you!

sarthurdev · February 2, 2025, 6:29pm

What is the header on your .pub file? It should be something like ------- BEGIN [something] -------

Tarik · February 3, 2025, 9:30am

Hello @sarthurdev,

Thanks for your response.

The format I have is in the standard OpenSSH format, which typically starts with the key type (e.g., ssh-rsa), followed by the base64-encoded key and an optional comment. This is the same format used in the authorized_keys file.

Example:

ssh-rsa AAAAB3...

I’ve always used this format for the TrustedUserCAKeys directive in sshd_config. As far as I know, this is the standard format, while the PEM format is more commonly used for TLS and mTLS.

I also attempted to convert the OpenSSH format to PEM. The generated file contained the -----BEGIN [something]----- header. I used the following command to strip the header and footer:

tail -n +2 ca.pem | head -n -1 | tr -d '\n'

I then added the output to the PKI, but it still didn’t work.

Here’s the error I encountered:

[pki]  
Invalid certificate on CA certificate "vault"  
[[pki]] failed  

[service ssh]  
Traceback (most recent call last):  
  File "/usr/libexec/vyos/services/vyos-configd", line 138, in run_script  
    script.generate(c)  
  File "/usr/libexec/vyos//conf_mode/service_ssh.py", line 133, in generate  
    ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)  
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 451, in find_chain  
    parent = find_parent(chain[-1], remaining)  
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 442, in find_parent  
    if verify_certificate(cert, ca_cert):  
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 363, in verify_certificate  
    if ca_cert.subject != cert.issuer:  
       ^^^^^^^^^^^^^^^  
AttributeError: 'bool' object has no attribute 'subject'  

[[service ssh]] failed  
Commit failed

Do I need to make any changes? Any advice would be greatly appreciated.

0lzi · February 4, 2025, 6:23pm

access-using-pem-file - VyOS forums is this similar to this?

Tarik · February 4, 2025, 7:14pm

No, it isn’t. What I’m trying to use is the TrustedUserCAKeys option in sshd: sshd_config - TrustedUserCAKeys. This feature was recently added to VyOS. You can refer to my initial response for more details.

system · March 6, 2025, 7:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.