In a typical system using OpenSSH, the TrustedUserCAKeys option allows SSH certificates to authenticate users securely. However, there is a bug in the VyOS implementation of this feature introduced in https://vyos.dev/T6013.

Current Problem:

• The current VyOS configuration requires the TrustedUserCAKeys to be sourced strictly from the VyOS PKI module.
• The VyOS PKI only accepts X.509 certificates as certificate authorities (CAs).
• OpenSSH does not natively manage X.509 certificates. Instead, it uses OpenSSH certificates, which are a simpler, more direct implementation. More details on this difference can be found in this Smallstep blog post.

Possible Compatibility Issue:

• For X.509 certificates, Roumen Petrov publishes custom OpenSSH builds with X.509 support, but it is unlikely that VyOS uses these builds. VyOS most likely ships with the native version of OpenSSH, which lacks native support for X.509 certificates but supports a lighter and less complex alternative. OpenSSH developers have maintained that the complexity of X.509 certificates introduces an unacceptable attack surface for sshd. Instead, they have implemented a simpler certificate format that is easier to parse and thus poses less security risk.
• As it stands, this implementation does not work for environments relying on OpenSSH certificate-based authentication.

Possible Solutions:

1. Add Support for OpenSSH CA Keys in VyOS PKI:
   • Allow the VyOS PKI to accept OpenSSH-style CA public keys (in ssh-rsa or similar formats), and make the SSH service retrieve the CA from this source instead of requiring an X.509 CA.

2. Change SSH Configuration Behavior:
   • Enable VyOS to load the SSH CA public key directly from a local path (e.g., /etc/ssh/trusted-user-ca-keys.pem) or a remote path (e.g., https://vault.example.com/v1/ssh-client-signer/public_key).