Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spiffe-step-ssh server #198

Merged
merged 107 commits into from
Nov 8, 2024
Merged

spiffe-step-ssh server #198

merged 107 commits into from
Nov 8, 2024

Conversation

kfox1111
Copy link
Collaborator

@kfox1111 kfox1111 commented Jan 22, 2024

Add a feature to enable trading a spire based cert for a signed ssh host cert automatically.

This enables hosts to start from scratch at bringup, attest with spire, and then get a signed ssh certificate users can trust came from the ssh ca.

Server components involved:

  • spire-server (deployed with spire chart)
  • step-ca server (deployed with spire-step-ssh)
    • step - step certificate authority instance
    • spiffe-step-ssh-fetchca - lets you fetch the ca.pem for step using spiffe's certs for trust.
    • spiffe-step-sssh-config - generates and maintains the config file for step. Injects the spiffe ca into the config.

Host components involved:

  • spire-agent
  • spiffe-helper
  • step (step ca client)
  • sshd

User components:

  • ssh (client)
  • configure known_hosts with step-ca ssh signature.

@kfox1111 kfox1111 added the review ready Ready for review but not merge label Jan 23, 2024
@edwbuck
Copy link
Collaborator

edwbuck commented May 22, 2024

Please update this commit to the baseline, so we can better determine if it is nearly ready for 0.22.0.

@edwbuck
Copy link
Collaborator

edwbuck commented Jun 18, 2024

A small description of the architectural elements that are going to be impacted is needed. This request comes from having some SSH clients that are not managed within the HELM items being supported, which impacts the overall security of the solution. I think the feature could be very beneficial, but the original problem being solved (other than containerized process access) needs a description, as well as all the impacted components (within HELM and outside of HELM).

@kfox1111 kfox1111 changed the title Initial prototype of spire-step-ssh integration Initial prototype of spiffe-step-ssh integration Sep 20, 2024
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
@faisal-memon faisal-memon self-assigned this Nov 8, 2024
Co-authored-by: Faisal Memon <[email protected]>
Signed-off-by: kfox1111 <[email protected]>
@faisal-memon faisal-memon merged commit ec72596 into main Nov 8, 2024
74 checks passed
@faisal-memon faisal-memon deleted the spire-step-ssh branch November 8, 2024 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants