How is 'step' used on the client side for admin work ?

[nklamann]

Hello all
I have lot of existing ssh connections from a windows box and use mostly mobaxterm, and sometimes putty.
I use pageant and have the keys for the identitiy file(s) in keepass which loads them in pageant. This is quite comfortable but not really secure for the reasons you describe convincingly .

Absent the authorized key file I would have to get a bearer token from a website and use this, if I understand correctly This would mean additional steps for every host I visit and is quite a hassle with 20 or more ssh connections. Or can I use the same token for any host which trusts the same Identity provider ? If yes, can I keep the token in memory or do I have to copy/paste ist again and again ?

How would that work in practice with which ssh client under windows ?

I would like to get security and some luxury ;-)

Thanks for listening

Norbert

[maraino]

How is 'step' used on the client-side for admin work ?

We can create ssh certificates you can use to authenticate to multiple servers. By default, these certificates are valid by 16h, and they generally live in the ssh-agent. I don't think putty supports them though, and I'm not sure about mobaxterm, but ssh for windows does.

Then those certificates need to be trusted but the servers, there's a couple of ways to do it, generally modifying the /etc/sshd_config, but there're other ways, for more details see this discussion #443

So there're no additional steps on the client-side for every host you visit, but you need to configure each host once to trust (user) certificates.

[maraino]

To be clear, if you have multiple hosts configured, you will only authenticate once per day to access any of them.

[maraino]

And sleep, not work for at least 8h 😉

[nklamann]

I live and work in another timezone ! (CET)

[nklamann]

So I have to use ssh-agent and not pageant.exe. Fair enough and that rules out putty.

But i do not understand the client configuration and the process. Is there any walkthrough of the steps on the client side of things , for human users, using windows tools ?

How do I prepare the client ?
Do I need an identitiy file ?
Can I use a stanza in my ~\ssh\config and what can / should it contain ?
How do I load the server certificates in the ssh-agent ?
How do i tell the ssh-client that I want to use the certificate of the server an mine ?

I presume all of this is answered in your documentationm and your blog (which is really good , BTW) but I have a hard time to figure this out.

Maybe some background is in order. I am a consultant in the Oracle database and unix area and work at customers sites with lots and lots of ssh connections . And of course they all use the 'authorized_keys' file with all the same keys everywhere. SSH certificates are clearly better and I would like to promote this idea but I have to show how this works and that the workload for admins is bearable - even in the short term. Because if it is not - nobody cares for the long term. Thats the way the corporate world is.

One other caveat. Nearly none of the servers can reach the internet and so any kind of hosted solution is out of the question.

Thanks a lot for your work, it is very much appreciated.

[maraino]

I live and work in another timezone ! (CET)

It was a "joke" about the 16h duration.

So I have to use ssh-agent and not pageant.exe. Fair enough and that rules out putty.

An ssh-agent is not required, but it makes things easier, but ssh certificates support is, and I think that's what rules out putty (last time I checked).

But i do not understand the client configuration and the process. Is there any walkthrough of the steps on the client side of things , for human users, using windows tools ?

There's nothing specific for windows, and open source docs for SSH are yet in progress, this blog post might be helpful:
https://smallstep.com/blog/diy-single-sign-on-for-ssh/

How do I prepare the client ?

Once you have step-ca running, initialized with step ca init --ssh, the client should run the bootstrap command to install the root certificates and defaults:

step ca bootstrap --ca-url your-ca.local --fingerprint xxxyyy

And then configure the ssh client:

step ssh config

That configuration is supported by OpenSSH (also in windows). To install it you need windows 10:
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

Do I need an identitiy file ?

No, at the moment only the SaaS requires the identity file.

Can I use a stanza in my ~\ssh\config and what can / should it contain ?

step ssh config will automatically add an include to ~/.step/ssh/config, the default might not work for all uses cases, but you can edit as you want. See the discussion on #443, that describes the default one.

How do I load the server certificates in the ssh-agent ?

You need to have ssh-agent running, and configured in your terminal/powershell. These I think are windows instructions:
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

For linux, macOS, and others, not for windows unless you use WSL you will need the appropriate SSH_AUTH_SOCK environment variable.

Other than that, step will do it for you. If you remove them you can also add them with ssh-add. Take into account that only step ssh certificate creates files, other commands like step ssh login uses only the ssh-agent.

So if you have the files mykey, mykey-cert.pub and mykey.pub created with step ssh certificate, this will add the cert (and private key) to the agent:

ssh-add mykey

How do i tell the ssh-client that I want to use the certificate of the server an mine ?

OpenSSH will try to use up to 5 keys in the agent, I believe that's the default, if you have more and the one you need is not attempted in the first 5, they you my have problems. But other than that OpenSSH will use the agent by default. But you can also specify it using -i mykey as long as mykey-cert.pub is in the same directory

ssh -i mykey myhost.local

One other caveat. Nearly none of the servers can reach the internet and so any kind of hosted solution is out of the question.

Not 100% there but we're already working on on-prem solutions.

I hope this answers all your questions. And we need to work on better docs on open-source SSH, the initial focus has be X.509 certificates.

[nklamann]

Many thanks for taking the time to write this