Getting started with step-ca...issue with host key

[moranbw]

Hey there,

Trying to get step-ca set up in my home environment for cert-based ssh authentication to my VMs. I'm following the instructions on the second half of this page: https://smallstep.com/docs/step-ca/basic-certificate-authority-operations. I can successfully login as a user to my host after setting TrustedUserCAKeys. I run into issues however when I try to add HostKey and HostCertificate. I'm seeing the following errors in sshd. I'm sure I'm doing something silly incorrectly, but I've been at this for a bit now and seem to be following the instructions properly.

The logs do present a question, how would sshd know about the passphrase for the private key? Would this be via ssh-agent?

For reference, this is on a Debian 10 box. The actual CA is running on another VM, and seems to be working okay. Just having issues with the host certs. Thanks.

[maraino]

Default ssh keys doesn't have a passphrase, I'm not sure if sshd supports it, at least directly, I haven't find any option after a quick look to man sshd_config. An agent can be used, to hold those keys, but it's not the most common scenario.

My recommendation is to remove the password from those keys, or sign a new key without a password. One way to do it is to sign an existing sshd public key:

step ssh certificate --sign --host hostname /etc/ssh/ssh_host_ecdsa_key.pub

And to generate one without a password:

step ssh certificate --host --no-password --insecure hostname /etc/ssh/ssh_my_key_name

[moranbw]

Thanks for the feedback!

So I created a fresh host VM, and went this route:

step ssh certificate --host --no-password --insecure hostname /etc/ssh/ssh_my_key_name

And it works! Are there any downsides to this? Also, should the documentation reflect this here, if it is indeed the standard to not have a password on the host private key? The screenshot seems to be defining a password to decrypt the key.

On the original host VM I was trying to do this on, I'm still having issues even when creating new keys with the --no-password --insecure options. I've tried reinstalling openssh-server, moving the HostKey and HostCertificate to a different location, but sshd is still trying to decrypt a private key. Is it being cached somewhere that is not readily apparent? Perhaps this is a peculiarity in Debian or OpenSSH that is transparent to you all, so understand if the question is out of scope.

Thanks again!

[maraino]

There's no downside, but it looks that the docs are wrong.

[moranbw]

Thanks for the info! Also figured out why the --no-password --insecure wasn't working on my original host VM....fat fingers.