Support CA for ssh keys [35904647]

Assigned

Feature Request

More Info Required

Status Update

No update yet.

Description

in...@gmail.com

created issue #1

Mar 16, 2015 08:02AM

At the moment only regular SSH keys are recognised which is added to the users authorized_keys file, but it would be ideal to have CA keys supported:

@cert-authority * ssh-rsa <...>

Appended to /etc/ssh/ssh_known_hosts

The reasons why should be self-explanatory.

Comments

kh...@google.com <kh...@google.com> #2Mar 19, 2015 12:48AM

Assigned to kh...@google.com.

Can you provide me with the error message that you receive when trying to ssh to your VM instance using CA signed keys?

in...@gmail.com <in...@gmail.com> #3Mar 19, 2015 09:37PM

This is when I try to add the CA key to my project metadata.

The error is: Invalid key. Required format: <protocol> <key-blob> <username@example.com>

All you need to do on your end is change the regex to start with something like ^(?:@cert-authority\s+\S+\s+)? but a better solution would be to recognise this as a CA and append it to a TrustedUserCAKeys file with the relevant line in /etc/ssh/sshd_config

This is important for people who want to scale without having to manage this little aspect themselves in a startup script. You support sshKeys in the metadata anyway so it makes sense to complete this feature with CA support.

kh...@google.com <kh...@google.com> #4Mar 24, 2015 11:15PM

I have forwarded this request to the engineering team. We will update this issue with any progress updates and a resolution.

sh...@gmail.com <sh...@gmail.com> #5Sep 22, 2017 10:36AM

any update on this.

is...@google.com <is...@google.com> Nov 16, 2018 07:09AM

Status: New

sa...@google.com <sa...@google.com> #6
Restricted+
May 3, 2023 11:45AM

Status: Won't Fix (Intended Behavior)

Comment has been deleted.

ze...@gmail.com <ze...@gmail.com> #7May 4, 2023 08:06PM

Why can't this be fixed? Isn't it just a matter of relaxing a regular expression?

sa...@google.com <sa...@google.com> #8May 5, 2023 04:46AM

Assigned to gc...@google.com.

Hi Zenczykowski, Please ignore comment#6.

It is now possible to set an SSH certificate authority CA via the Cloud Console in the “sshKeys” Metadata section [1] or via the gcloud command [2].

Have a nice day,

Murali

[1] https://console.cloud.google.com/compute/metadata

[2] https://cloud.google.com/sdk/gcloud/reference/compute/project-info/add-metadata

Issue 35904647