diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-20 19:57:24 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-29 14:01:32 +0200 |
| commit | 4b4bbd73b84c2c478c7752f58e7f66ec6d90459e (patch) | |
| tree | 872749218a0efba4375cad579d617db02b6dac97 /src/conf_mode/pki.py | |
| parent | d2745a7b60a7fef88958bd52b3876c105da87e77 (diff) | |
| download | vyos-1x-4b4bbd73b84c2c478c7752f58e7f66ec6d90459e.tar.gz vyos-1x-4b4bbd73b84c2c478c7752f58e7f66ec6d90459e.zip | |
ssh: T6013: rename trusted-user-ca-key -> truster-user-ca
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
Diffstat (limited to 'src/conf_mode/pki.py')
| -rwxr-xr-x | src/conf_mode/pki.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 14fe86d56..7d01b6642 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -64,7 +64,7 @@ sync_search = [ 'path': ['service', 'https'], }, { - 'keys': ['ca_certificate'], + 'keys': ['key'], 'path': ['service', 'ssh'], }, { @@ -418,7 +418,8 @@ def verify(pki): if 'country' in default_values: country = default_values['country'] if len(country) != 2 or not country.isalpha(): - raise ConfigError(f'Invalid default country value. Value must be 2 alpha characters.') + raise ConfigError('Invalid default country value. '\ + 'Value must be 2 alpha characters.') if 'changed' in pki: # if the list is getting longer, we can move to a dict() and also embed the |