ssh: T6013: rename trusted-user-ca-key -> truster-user-ca

The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.

This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.

1 files changed, 3 insertions, 3 deletions

diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index dce679936..1315bf2cb 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -111,17 +111,17 @@ ClientAliveInterval {{ client_keepalive_interval }}
 RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }}
 {% endif %}
 
-{% if trusted_user_ca_key is vyos_defined %}
+{% if trusted_user_ca is vyos_defined %}
 # Specifies a file containing public keys of certificate authorities that are
 # trusted to sign user certificates for authentication
-TrustedUserCAKeys /etc/ssh/trusted_user_ca_key
+TrustedUserCAKeys {{ get_default_config_file('sshd_user_ca') }}
 
 # The default is "none", i.e. not to use a principals file - in this case, the
 # username of the user must appear in a certificate's principals list for it
 # to be accepted. ".ssh/authorized_principals" means a per-user configuration,
 # relative to $HOME.
 {%     set filename = 'none' %}
-{%     if trusted_user_ca_key.has_principals is vyos_defined %}
+{%     if has_principals is vyos_defined %}
 {%         set filename = '.ssh/authorized_principals' %}
 {%     endif %}
 AuthorizedPrincipalsFile {{ filename }}