Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-28038

Support for SSH certificates in Remote Execution

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • Remote Execution
    • None
    • Support for SSH certificates in Remote Execution
    • False
    • Hide

      None

      Show
      None
    • False
    • To Do
    • 0
    • Endeavour

      Goal:

      • Our customers in regulated environments are asked to use SSH certificates to avoid TOFU model and to be able to re-generate the private key of the Capsule's key efficiently.
      • The need for renewing the key is e.g. once a year.
      • We need to provide an easy way to use existing SSH CA infrastructure, not necessarily automating the creation and management of it

      Acceptance Criteria:

      • Customer must be able to provide public key, private key and certificate to the Capsule that should be used for User authentication during the REX connection
      • Customer must be able to provide CA certificate that should be trusted when connecting to all target hosts from Capsule.
      • Once provided/configured, the Capsule must trust target host certificate if it was signed by the provided CA. The host also needs to successfully authenticate the user without deploying the public key to the authorized_keys file.
      • Customer should not setup file permissions and ownership manually, the configuration must be kept also during Satellite upgrade
      • Customer must be able to easily reconfigure all 4 assets on the regular basis
      • Registration and provisioning flows must configure the sshd on the registered/provisioned machine accordingly

      Open questions:

      • Do we need to support also only subset of the functionality - Host keys vs User keys?
      • Is this the recommended way?
      • Should this become the only way?
      • Does it work with Ansible?
      • Do we want to provide recommendation on the expiration, use of principals or any other feature of the functionality?

      For the initial research, see the existing KCS

              Unassigned Unassigned
              rhn-engineering-mhulan Marek Hulan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: