2

We're converting our ssh host keys to certificate-signed keys. I wanted to write a script that would use ssh-keyscan to grab all the public keys, then sign them all, and then use ansible to push the signed keys back out to all the systems. I do want a passphrase on my CA key that I use to sign host keys.

So I thought I'd be clever and fire up ssh-agent at the beginning of the script, use ssh-add to add the CA key to ssh-agent, and then run off a bunch of ssh-keygen -s commands without it prompting for the passphrase. The ssh-agent seems to start successfully, the ssh-add works, but the ssh-keygen does not seem to be using ssh-agent to get the CA key for signing. Is this a missing feature in ssh-keygen? I don't want to waste time debugging this script if ssh-keygen simply doesn't do this.

At this point, yes, I know I could strip the passphrase, do the work once, and then put the passphrase back. But in the future we may well want to bulk-add more hosts again, and it would be nice to both have a passphrase, and have a script that will bulk sign.

I'm open to alternate approaches but I'd also like a definitive answer about whether or not ssh-keygen is supposed to do this. I've searched and haven't found this info anywhere.

Improve this question
1
  • Please show us your script, and any output from the attempts and failures.
    – music2myear
    Commented May 22 at 15:05

1 Answer 1

Reset to default
1

Apparently on BSD systems there is a "-U" option, explicitly mentioned in the documentation, that can be added when signing, which tells it to use the agent for the CA. The non-BSD systems' documentation show a different usage for "-U" (keys stored in smartcards). HOWEVER, the same option does also seem to work on at least some non-BSD systems (e.g. RHEL8).

So the solution is to use "-Us" instead of just "-s" when signing.

Simplest sample implementation, signing using ssh-agent:

#!/bin/sh
  
#generate a test CA
ssh-keygen -t rsa -f /tmp/test_rsa_CA

#copy in a test ssh host key to sign
cp /etc/ssh/ssh_host_rsa_key.pub /tmp

eval `ssh-agent -s`
echo agent running on $SSH_AGENT_PID

#add the test CA to ssh-agent
ssh-add /tmp/test_rsa_CA

#test signing using agent
#The -U option is better documented on BSD systems but works at least in RHEL8
ssh-keygen -Us /tmp/test_rsa_CA -I test -n test.example.com -V -1d:+30d -h /tmp/ssh_host_rsa_key.pub

kill $SSH_AGENT_PID
Improve this answer
4
  • It's really not about "BSD vs non-BSD" – it's about "your distribution ships an OpenSSH version that predates the addition of this option". I assume you were looking at RHEL7 which had version 7.4 – but the option was added in 7.6 (only seven years ago), so any non-BSD that has a recent version will have this option as well.
    – grawity_u1686
    Commented May 22 at 21:54
  • It's RHEL8. I think the confusion came for me from the fact that while the feature clearly exists in the software, it still does not exist in the shipped documentation. I checked through the man page several times looking for some indication of how to accomplish this. Only a random attempt on a MacOS system led me to the answer.
    – thomasafine
    Commented May 23 at 2:04
  • The documentation (the ssh-keygen manpage) was updated in the same git commits that added the feature and was definitely shipped with OpenSSH upstream... Were you checking on the same system or online docs? (I did find the old "-U: smartcard" option in FreeBSD's manpage collection under "RedHat 8"... but that's not RHEL 8, that's RHL 8 from 2002. The new "-U: agent" option is definitely there for Rocky 8.3 though, which I believe would be the RHEL equivalent.)
    – grawity_u1686
    Commented May 23 at 4:10
  • 1
    It turns out I had a long forgotten /home/myusername/man directory that had a tiny handful of commands in there, including ssh-keygen.1 from (as you said) 2002. And, apparently even if you set an empty MANPATH man automatically tries to search in certain standard locations based on the PATH.
    – thomasafine
    Commented May 23 at 18:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .