Signed SSH Certificates support certificate identity

[dmyerscough]

Feature Request:

With Signed SSH Certificates it would be good to accept certificate_identity when signing SSH keys. This makes reading logs much easier to identify who logged in

Sep 26 02:38:25 ops-vault1-2-sfo sshd[16072]: Accepted publickey for root from 192.168.1.185 port 50550 ssh2: RSA-CERT ID vault-root-4f7a555f4e11243c0951a208f5cda4d2e8bbbddfffdcf12e1744144577bc5b28 (serial 5524078550575389286) CA RSA SHA256:M8aK9I71gPPKjM20o3nrAcYokUsfLQz2xlTdCstJ1Ig
Sep 26 02:38:25 ops-vault1-2-sfo sshd[16072]: pam_unix(sshd:session): session opened for user root by (uid=0) 

Reading vault-root-4f7a555f4e11243c0951a208f5cda4d2e8bbbddfffdcf12e1744144577bc5b28 isn't clear who logged in. The ssh-keygen supports the -I flag which allows you to specify an identify.

[dmyerscough]

This already exists; I found the solution reading the source code.

[vishalnayak]

@dmyerscough Which option worked out to be a solution for you?

[dmyerscough]

@vishalnayak so looking through the source I found the option allow_user_key_ids. Setting this to true allows you to inject usernames which makes it easy to identify who logged in with what certificate

E.x.

$ ./vault write ssh-client-signer/roles/my-role -<<"EOH"
{
  "allow_user_certificates": true,
  "allowed_users": "*",
  "allow_user_key_ids": "true",
  "default_extensions": [
    {
      "permit-pty": ""
    }
  ],
  "key_type": "ca",
  "default_user": "root",
  "ttl": "30m0s"
}
EOH

$ vault write ssh-client-signer/sign/my-role key_id="damian" public_key=@$HOME/.ssh/id_rsa.pub

Then when SSHing into a host you can see the key_id which is alot easier to identify

Sep 26 16:26:40 localhost sshd[1185]: Accepted publickey for root from 192.168.99.1 port 53438 ssh2: RSA-CERT ID damian (serial 1891934964527850342) CA RSA SHA256:00tgDa0i//gT0aYpNlTfrBr/z8Xk/xeViropxrWdLYE