I have some problems with the current system of configuring SSH keys for users.
Is there a good reason for VyOS putting an additional validation layer over what OpenSSH already provides?
That seems unnecessary and creates a few problems:
- Supported OpenSSH features are rendered unusable because they are not configurable through the configuration system and system config files are reset regularly.
- It creates an unnecessary maintenance burden because when OpenSSH introduces new features the VyOS configuration system must be updated, too.
- The configuration experience is more complicated than it needs to be. But this might just be my personal preference.
Why not just simplify the current configuration command to
set system login user <username> authentication public-keys <authorized-keys-file-syntax-string>
and then use
ssh-keygen to check the validity?
Wouldn’t this be a viable solution that solves above mentioned problems and achieve automatic feature parity with the shipped OpenSSH version? Am I missing something?
Interested to hear some feedback! I would also be willing to make the necessary changes to the codebase.
We need support for authenticating users via SSH certificates. The OpenSSH version shipped with VyOS actually supports this, but the necessary keys cannot be configured because the require the key type to be prepended with
cert-authority. There is also no way to set other options for the keys