Blank CA Certificate List Breaks Public Key Authentication

Question

Blank CA Certificate List Breaks Public Key Authentication

Opened this issue a month ago · 0 comments

The current documents seem to suggest that SSH Certificate authentication is an optional feature.

When configuring the plugin WITHOUT setting a CA certificate, Public Key login fails with an obscure internal error.

Plugin configuration:

$ vault read auth/ssh/config
Key                        Value
---                        -----
secure_nonce               true
ssh_ca_public_keys         []
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             []
token_ttl                  0s
token_type                 default

Pubkey Auth role via:

vault write auth/ssh/role/ubuntu token_policies="ssh-policy" public_keys=@sshkey.pub

Logging in via:

nonce=$(vault read -field nonce auth/ssh/nonce)
vault write auth/ssh/login role=<role> cert=@<certfile> nonce=$nonce signature=<base64encoded ssh signature over $nonce>

Produces:

Login attempt failed: HTTPError: HTTP Error 400: Bad Request: could not load configuration

However provisioning an unused CA cert via:

vault write auth/ssh/config ssh_ca_bublic_keys=@host_ca.pub

Results in login as expected.

Request:

Make CA certificates truly optional by only requiring them if certificate authentication is being performed.
If making CA certificates option is not desired, provide clearer error messaging describing the reason for the error, and update the docs so that it's clear that a CA is required.

Thank you.