2

We're converting our ssh host keys to certificate-signed keys. I wanted to write a script that would use ssh-keyscan to grab all the public keys, then sign them all, and then use ansible to push the signed keys back out to all the systems. I do want a passphrase on my CA key that I use to sign host keys.

So I thought I'd be clever and fire up ssh-agent at the beginning of the script, use ssh-add to add the CA key to ssh-agent, and then run off a bunch of ssh-keygen -s commands without it prompting for the passphrase. The ssh-agent seems to start successfully, the ssh-add works, but the ssh-keygen does not seem to be using ssh-agent to get the CA key for signing. Is this a missing feature in ssh-keygen? I don't want to waste time debugging this script if ssh-keygen simply doesn't do this.

At this point, yes, I know I could strip the passphrase, do the work once, and then put the passphrase back. But in the future we may well want to bulk-add more hosts again, and it would be nice to both have a passphrase, and have a script that will bulk sign.

I'm open to alternate approaches but I'd also like a definitive answer about whether or not ssh-keygen is supposed to do this. I've searched and haven't found this info anywhere.

thomasafine
  • 31

1 Answers1

1

Apparently on BSD systems there is a "-U" option, explicitly mentioned in the documentation, that can be added when signing, which tells it to use the agent for the CA. The non-BSD systems' documentation show a different usage for "-U" (keys stored in smartcards). HOWEVER, the same option does also seem to work on at least some non-BSD systems (e.g. RHEL8).

So the solution is to use "-Us" instead of just "-s" when signing.

Simplest sample implementation, signing using ssh-agent:

#!/bin/sh

#generate a test CA
ssh-keygen -t rsa -f /tmp/test_rsa_CA


#copy in a test ssh host key to sign
cp /etc/ssh/ssh_host_rsa_key.pub /tmp


eval ssh-agent -s
echo agent running on $SSH_AGENT_PID


#add the test CA to ssh-agent
ssh-add /tmp/test_rsa_CA


#test signing using agent
#The -U option is better documented on BSD systems but works at least in RHEL8
ssh-keygen -Us /tmp/test_rsa_CA -I test -n test.example.com -V -1d:+30d -h /tmp/ssh_host_rsa_key.pub


kill $SSH_AGENT_PID
thomasafine
  • 31