logging in with ssh certificates #13
Comments
oseiberts11
changed the title
|
For the known_hosts issue, I think you have to also define I will look more into the SSH certificates and see if that's possible. |
|
So it looks like based on one example I found: https://stackoverflow.com/a/52139555 , that to support SSH with certificates would require the host running this exporter to have access to both the certificate public and private keys. Will such a solution work for you having to give the exporter access to both public and private keys for the certificate? |
|
Thanks for finding that example. It looks like it is just the thing for this use case. It confuses me a bit with the file names it uses, since they don't seem to be the same as the "normal" ones (I have I think the private key that the example talks about must be my private key, not the private key of the CA. But what confuses me here is the talk about "creating a signer from the private key": somehow that seems more like something a CA would do (and hence use the CA private key). Using my own private key is ok for me. As I understand it, the ssh client program also still uses it somehow when connecting to the server. For example, if you specify an identity file with the The main advantage we have with the certificates is that we don't have to pre-create users with If there are different code paths to follow for both login procedures (with or without certificate), it would be perfectly reasonable to me if you decide based on the presence of a Does that make sense? |
|
I dabbled myself a bit (I'm not so used to go) and this is the result: #14 |
|
@oseiberts11 I released #14 in v1.3.0-rc.0: https://github.com/treydock/ssh_exporter/releases/tag/v1.3.0-rc.0. If this works for you I will promote to v1.3.0. |
|
Thanks! I gave it a whirl, and it passed the tests and my own test as well. Looks good! |
|
Released v1.3.0 with #14 that closes this issue. |
Hi! I'm trying out your ssh_exporter. You may have noticed that I ran into a few small snags in your README :)
Right now I am trying to actually log in a user. We are not using private keys directly for authentication, but key certificates. The ssh server uses
TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys(andHostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub), in its configuration. Users also have ed25519 keys.I found an article about this here: https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39
https://www.lorier.net/docs/ssh-ca.html also looks good (much more compact though: gives very specific commands to run but with less explanation).
I haven't found a way yet to log in with this sort of configuration. Am I missing something?
Futhermore, if I specify a known_hosts file, I see the same error as in golang/go#33366 :
level=error ts=2021-09-30T12:26:26.813Z caller=collector.go:128 target=hostname:22 msg="Failed to establish SSH connection" err="ssh: handshake failed: ssh: no authorities for hostname: hostname:22".If I leave the known_hosts file out, then a "normal" authentication failure:
level=error ts=2021-09-30T12:47:15.063Z caller=collector.go:128 target=hostname:22 msg="Failed to establish SSH connection" err="ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain".The text was updated successfully, but these errors were encountered: