Blank CA Certificate List Breaks Public Key Authentication
Opened this issue · 0 comments
nikogura commented
The current documents seem to suggest that SSH Certificate authentication is an optional feature.
When configuring the plugin WITHOUT setting a CA certificate, Public Key login fails with an obscure internal error.
Plugin configuration:
$ vault read auth/ssh/config
Key Value
--- -----
secure_nonce true
ssh_ca_public_keys []
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
Pubkey Auth role via:
vault write auth/ssh/role/ubuntu token_policies="ssh-policy" public_keys=@sshkey.pub
Logging in via:
nonce=$(vault read -field nonce auth/ssh/nonce)
vault write auth/ssh/login role=<role> cert=@<certfile> nonce=$nonce signature=<base64encoded ssh signature over $nonce>
Produces:
Login attempt failed: HTTPError: HTTP Error 400: Bad Request: could not load configuration
However provisioning an unused CA cert via:
vault write auth/ssh/config ssh_ca_bublic_keys=@host_ca.pub
Results in login as expected.
Request:
- Make CA certificates truly optional by only requiring them if certificate authentication is being performed.
- If making CA certificates option is not desired, provide clearer error messaging describing the reason for the error, and update the docs so that it's clear that a CA is required.
Thank you.