From 4b4bbd73b84c2c478c7752f58e7f66ec6d90459e Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 20 May 2025 19:57:24 +0200 Subject: ssh: T6013: rename trusted-user-ca-key -> truster-user-ca The current implementation for SSH CA based authentication uses "set service ssh trusted-user-ca-key ca-certificate " to define an X.509 certificate from "set pki ca ..." - fun fact, native OpenSSH does not support X.509 certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys. This commit changes the bahavior to support antive certificates generated using ssh-keygen and loaded to our PKI tree. As the previous implementation did not work at all, no migrations cript is used. --- data/templates/ssh/sshd_config.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'data') diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index dce679936..1315bf2cb 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -111,17 +111,17 @@ ClientAliveInterval {{ client_keepalive_interval }} RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} {% endif %} -{% if trusted_user_ca_key is vyos_defined %} +{% if trusted_user_ca is vyos_defined %} # Specifies a file containing public keys of certificate authorities that are # trusted to sign user certificates for authentication -TrustedUserCAKeys /etc/ssh/trusted_user_ca_key +TrustedUserCAKeys {{ get_default_config_file('sshd_user_ca') }} # The default is "none", i.e. not to use a principals file - in this case, the # username of the user must appear in a certificate's principals list for it # to be accepted. ".ssh/authorized_principals" means a per-user configuration, # relative to $HOME. {% set filename = 'none' %} -{% if trusted_user_ca_key.has_principals is vyos_defined %} +{% if has_principals is vyos_defined %} {% set filename = '.ssh/authorized_principals' %} {% endif %} AuthorizedPrincipalsFile {{ filename }} -- cgit v1.2.3