Page MenuHomeVyOS Platform
Create Task
Maniphest T6013

Add support for SSH certificate configuration
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Overview

In a typical system with OpenSSH, the TrustedUserCAKeys and AuthorizedPrincipalsFile options can be used to permit SSH certificates to login to systems.

This request is to request the ability to configure the SSH server configurations needed to make SSH certificates work with VyOS.

Our background regarding this request is the ability to use SSH certificates to login to our VyOS hosts instead of fixed SSH keys or fixed passwords. The ability to login with certificates allows for keys to have a limited lifespan that is not tied to the device's configuration.

Examples

Mapped to a file containing principal names, configured by sshd_config AuthorizedPrincipalsFile.

# set service ssh trusted-user-ca-key <location>
  • <location> can be a local path or a URL pointing at a remote file.
  • Example (Local): set service ssh trusted-user-ca-key /tmp/ssh-ca.pem
  • Example (Remote): set service ssh trusted-user-ca-key https://example.com/ssh-ca.pem

Mapped to sshd_config TrustedUserCAKeys.

# set system login user <username> authentication ca-principals <principal-name>
  • Adds a SSH certificate principal for a given user for authentication. Multiple principals are permitted for users.
  • Example: add system login user vyos authentication ca-principals netadmins

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

nepeat created this task.Feb 5 2024, 5:52 AM
Viacheslav triaged this task as Wishlist priority.Feb 5 2024, 8:10 AM
pasik subscribed.Feb 5 2024, 8:39 AM
syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.Nov 1 2024, 2:16 PM
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM
takehaya subscribed.Dec 11 2024, 4:11 PM

hi,I am interested in this issue and would like to work on it.
If there are any relevant code references or examples, please let me know.

takehaya added a comment.Dec 12 2024, 2:50 AM

https://github.com/vyos/vyos-1x/pull/4234
Development has begun! :)

Viacheslav changed the task status from Open to In progress.Dec 12 2024, 9:05 AM
Viacheslav assigned this task to takehaya.
takehaya added a comment.Dec 20 2024, 3:22 PM

I’ve made various improvements to the code based on the feedback from the review and have moved things forward.
Could you let me know how I can proceed to get further reviews on this PR? 😊

takehaya added a comment.EditedDec 23 2024, 10:11 AM

Hi.
The CLI smoketests are failing due to changes unrelated to this PR. I checked the "current" branch and found that the same issue occurs there as well, so it seems that it cannot be resolved unless it is addressed separately.
I believe there are no issues with this PR itself, so I would like it to be merged. What do you think?
I have already received a review and approval.

takehaya mentioned this in rVYOSONEXe7cab89f9f81: T6013: Add support for configuring TrustedUserCAKeys in SSH service with local….Dec 23 2024, 12:03 PM
takehaya mentioned this in rVYOSONEX967218a33cda: T6013: Remove unused variables to make it lint-friendly.
takehaya mentioned this in rVYOSONEX8b560e7ef40b: T6013: Remove trusted_user_ca_key when the configuration does not exist.
Restricted Repository Identity mentioned this in rVYOSONEXc9febcc4c53d: Merge pull request #4234 from takehaya/T6013-trusted-ca-keys.Dec 23 2024, 12:03 PM
takehaya added a comment.Dec 23 2024, 1:56 PM

Thank you for merging the PR! I plan to work on the AuthorizedPrincipalsFile support next. I look forward to your continued support:)

Viacheslav changed the task status from In progress to Needs testing.Dec 23 2024, 2:30 PM
takehaya added a comment.Dec 23 2024, 2:38 PM

I have added what you included this time to the documentation. It's a simple update, but please review it.

https://github.com/vyos/vyos-documentation/pull/1578

tarik.haddouchi subscribed.Feb 6 2025, 5:54 PM

Hello @takehaya,

Thank you for the feature; I really appreciate it.

I'm having trouble making it work and would gladly accept any assistance. From what I understand, the procedure is as follows:

  1. Add a certificate authority using the PKI module: `bash set pki ca <ca_name> certificate `
  2. Reference the CA in the SSH service: `bash set service ssh trusted-user-ca-key ca-certificate <ca_name> `

The issue I'm facing is that my SSH CA public key is in the .pub format (ssh-rsa AAAAB3...), which is standard for SSH, rather than the .pem format (-----BEGIN [something]-----) required by VyOS PKI.

I tried converting the .pub key to .pem, but I encountered the following error:

[pki]  
Invalid certificate on CA certificate "vault"  
[[pki]] failed  

[service ssh]  
Traceback (most recent call last):  
  File "/usr/libexec/vyos/services/vyos-configd", line 138, in run_script  
    script.generate(c)  
  File "/usr/libexec/vyos/conf_mode/service_ssh.py", line 133, in generate  
    ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)  
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 451, in find_chain  
    parent = find_parent(chain[-1], remaining)  
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 442, in find_parent  
    if verify_certificate(cert, ca_cert):  
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 363, in verify_certificate  
    if ca_cert.subject != cert.issuer:  
       ^^^^^^^^^^^^^^^  
AttributeError: 'bool' object has no attribute 'subject'  

[[service ssh]] failed  
Commit failed

For additional context, I am using Vault’s SSH secret engine for fully automated credential management.

c-po closed this task as Resolved.May 19 2025, 6:17 PM
c-po moved this task from Backlog - Feature Requests to Completed on the VyOS Rolling board.
c-po mentioned this in rVYOSONEX6c3b1ef2fede: ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-key.May 29 2025, 6:17 PM
c-po mentioned this in rVYOSONEX81dfb64ebb3e: ssh: T6013: move principal name to "system login user <name> authentication".
c-po mentioned this in rVYOSONEXd2745a7b60a7: pki: T6013: add proper dependencies for SSH CA.
c-po mentioned this in rVYOSONEX4b4bbd73b84c: ssh: T6013: rename trusted-user-ca-key -> truster-user-ca.
Restricted Repository Identity mentioned this in rVYOSONEX08dc2e56bf4a: Merge pull request #4266 from takehaya/T6013-trusted-ca-keys.May 29 2025, 6:17 PM
c-po subscribed.May 29 2025, 6:19 PM

@tarik.haddouchi I just merged the changes into current and thus will be in the next rolling release. I also encountered this weirdness. CA keys have been moved to OpenSSH public/private keys, see updated documentation: https://docs.vyos.io/en/latest/configuration/service/ssh.html

c-po added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q2).May 29 2025, 6:20 PM
dmbaturin renamed this task from SSH Certificate configuration to Add support for SSH certificate configuration.Jul 9 2025, 1:01 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.