Allow openssh_cert module to sign multiple public keys

Question

Allow openssh_cert module to sign multiple public keys

MghRepo opened this issue 6 months ago · 1 comments

SUMMARY

At the moment the openssh_cert module does not seem to allow signing multiple public keys.

Compliance with OpenSSH :
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] [-n principals] [-O option] [-V validity_interval] [-z serial_number] file ...

("file ..." at the end)

ISSUE TYPE

Feature Idea
Compliance with OpenSSH

COMPONENT NAME

openssh_cert

ADDITIONAL INFORMATION

We could rename public_key parameter public_keys and accepting a list of paths.

Example :

 - name: Signing the host keys
    community.crypto.openssh_cert:
      type: host
      signing_key: /etc/ssh/ca
      public_keys:
        - "/etc/ssh/ssh_host_ed25519_key.pub"
        - "/etc/ssh/ssh_host_rsa_key.pub"
        - "/etc/ssh/ssh_host_ecdsa_key.pub"
      identifier: "machine host keys" 
      path: /etc/ssh/ssh_host_keys-cert.pub
      valid_from: +0s
      valid_to: +32w
      valid_at: +2w
      ignore_timestamps: true

Answer 1 · 2024-07-10T14:51:56.000Z

Well, in fact, with just one path for the output cert...does not seem useful to have this.

ssh-keygen automatically suffix the corresponding pk creating the pk cert...not the same behavior.