Allow "bring your own" SSH certificates based auth

Question

Allow "bring your own" SSH certificates based auth

siddharthab opened this issue a year ago · comments

Wanted to get an opinion from people on what they think about using certificates based SSH auth along side account management provided by OS Login.

We want some notion of credentials that are not permanent and can not be copied. OS Login SK in principle would work for us, but unfortunately, it is not supported by VS Code, which is a blocker for us (VSCode Issue link). We can either upstream a VS Code fix, or use SSH certificates. We chose SSH certificates thinking it will be simpler.

We patch sshd config to use certificates, but we want to continue using OS Login so our patch needs to work alongside the patch that guest-agent makes to sshd config. There are two issues however:

There is a bug in some versions of openssh (latest in Ubuntu 22.04, etc.) that prevents AuthorizedPrincipalsCommand from being picked up if AuthorizedKeysCommand is set before it. guest-agent always puts its section at the top of the file, so we have to resort to using AuthorizedPrincipalsFile which is not ideal.
It looks like guest-agent will start setting TrustedUserCAKeys soon (#224). That may also interfere with our patch because we will have our own value for this setting. I have not looked into this in detail.

One possible way forward is to introduce a configurable setting to stop guest-agent from modifying sshd config and allow the user to bring in their own auth mechanisms.

Another possible way is that guest-agent starts supporting user-configured AuthorizedPrincipalsCommand and TrustedUserCAKeys. At the very least, guest-agent can try to not break the use case where people are patching in these two settings.

Thoughts?

Leandro Dorileo · Answer 1 · Thu Aug 10 2023 08:25:01 GMT+0800 (China Standard Time)

Hi @siddharthab

Thanks for reporting this. We are aware of the issue and we are working to best support customers use cases when it comes to using their own certificates.

Siddhartha Bagaria · Answer 2 · Sat Jan 20 2024 04:04:17 GMT+0800 (China Standard Time)

It looks like #224 mentioned in the description above went live today for our machines, and our SSH cert mechanism is broken. Is there any guidance on how users can bring their own certificates?

This is a significant outage for us as our login mechanisms are not sufficient to work with VS Code. The remediation is that we lower our security posture while we wait for guidance from GCP.

Leandro Dorileo · Answer 3 · Tue Jan 23 2024 01:38:31 GMT+0800 (China Standard Time)

hi @siddharthab could you check if disabling the certificate based authentication in the guest-agent is enough for your use case? (please find more information here - the config section and keys (in the table) are respectively OSLogin and cert_authentication.

Siddhartha Bagaria · Answer 4 · Tue Jan 23 2024 02:13:04 GMT+0800 (China Standard Time)

Yes, just verified that the setting works for us. Thank you so much! I should have searched for it myself first before posting here.

Siddhartha Bagaria · Answer 5 · Tue Jan 23 2024 02:19:15 GMT+0800 (China Standard Time)

Closing this issue as there is a forward path for users wanting to bring their own SSH certs.

Users need to have the following section in either /etc/default/instance_configs.cfg or /etc/default/instance_configs.cfg.distro.

[OSLogin]
cert_authentication = false

Their openssh server needs to be version 9.4 or above to be able to use their own AuthorizedPrincipalsCommand, else they will have to resort to AuthorizedPrincipalsFile.