…and if so, how?
Do you mean X509 certificates as used with TLS (SSL)? Or do you mean OpenSSH “homebrew” simplified certificates?
I didn’t know there was a difference. I’ll do some more reading.
What I’m looking for is a way to allow SSH to the console, using public key authentication, but without the need to keep authorized_users synchronised across all nodes.
Ideally, we’d integrate with something AWS-aware that handed out short-term (hours, rather than days) client certs.
I saw that, but it doesn’t seem to allow for checking a certificate chain. My thinking at the time was that we could just deploy a root cert to the nodes, and then validate the client cert against that. Kinda normal stuff (for TLS).
Are you suggesting, instead, that I use the
is_auth_key callback (which takes the client’s public key) and check that against … something else … that either holds a centralised copy of the public key, or that handed out the keypair in the first place…?
Do you have any examples or documentation for how that might work…?
Default callback is Erlang -- ssh_file
That use usual ssh certificates , with known_host and authorized_keys of system or user directory .
Those directories can be changed as parameters if those files are coming with a release, for instance , or if user running vm does not have access to system ones. Be aware that openssl is used under the hood so usual security access must be respected.
Creating a custom callback can be inspired of ssh_file.erl
Important rsa is deprecated by default on recent otp releases . Add this in sys.config as workaround .
You misunderstand. I know how to replace the implementation. I’m looking for examples where other people have done something like what I’m asking.
Are there any walkthroughs/examples/documentation where people have used a custom callback to avoid deploying new authorized_users in order to make changes?
I am not aware of any code that adds OpenSSH certificate based authentication to the (server part of the) erlang ssh application.
When i found nothing and tried to figure out what modifications to the ssh application would be needed to get this working i gave up at some point.
However, i do have the code to operate on OpenSSH certificates in my erlang SSH authentication agent application here: essh_pkt.erl, essh_cert.erl that might be of use.