Allow Docker SSH Outposts to use short-lived SSH certificates and customize ./ssh/config

[greplerio]

Is your feature request related to a problem? Please describe.
I am trying to configure Authentik to use Teleport-generated short-lived SSH certificates.
This is useful because:

1. the certificates are only valid for 60 minutes (configurable lifespan) reducing risks if they are compromised,
2. once the certificate cycling system is set up, it doesn't require manual intervention,
3. all access and commands can be centrally audited and revoked if necessary,
4. using Teleport (or bastion hosts with custom SSH config files) allows us to access hosts which are normally inaccessible (they can 'phone home' to Teleport).

Describe the solution you'd like
A clear and concise description of what you want to happen.

It looks like the current system deploys a new ssh private key onto the filesystem when the docker ssh session is initialized (?).

There are two components to this request:

1. Using a Certificate from the filesystem
   I'd like to specify a filesystem path (mounted into the docker containers, likely the containing folder /opt/machine-id) for the target Docker Outpost's ssh private key (that way the most recent cycled ssh certificate is used each time).

2. configure my own ssh config file / section.
   At the moment the code assembles a host-specific ssh config section and appends the configuration to container's ~/.ssh/config file path. I'd like the option to manually specify the block of text that is appended (teleport has some particular sshconfig settings that allow you to proxy the connection through their system).

There are many configuration options which are useful for hopping through bastions, etc.: https://goteleport.com/blog/ssh-config/ which are not currently available in the bare-bones ssh configuration being generated.

authentik/authentik/outposts/docker_ssh.py

Lines 42 to 49 in d9d4202

	ssh_config.writelines(
	[
	self.header,
	f"Host {self.host}\n",
	f" IdentityFile {key_path}\n",
	f"{FOOTER}\n",
	"\n",
	]

Describe alternatives you've considered

I have considered using the documented manual process for establishing ssh links between docker hosts but would prefer to use Teleport for the reasons above.

Additional context

I have read over the code and would be happy to take a swing at the modification, I'm comfortable hacking away with backend python, but have not done any web interface components before.

authentik/authentik/outposts/docker_ssh.py

Lines 29 to 35 in d9d4202

	def __init__(self, host: str, keypair: CertificateKeyPair) -> None:
	self.host = host
	self.keypair = keypair
	if not self.keypair:
	raise DockerException("keypair must be set for SSH connections")
	self.config_path = Path("~/.ssh/config").expanduser()
	self.header = f"{HEADER} - {self.host}\n"

I stumbled across Authentik a month ago and have loved its ease of use compared to KeyCloak! Thank you 🔥

[greplerio]

I should note that the Teleport Machine-ID system is still a work in progress, though it's nearing it's production release in 9.3/10. I have it working and I really like it.

I'd give some examples of the ssh_config files they are generating but they are currently refactoring them:
gravitational/teleport#11596