-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow step ssh proxycommand
to fall through to standard SSH auth
#750
Comments
Hey @DjLogozzo 👋 . Apologies for the radio silence. We agree that this would be a useful feature and we've added it the next milestone. We don't have an exact date for that yet, but we generally release a new tag (milestone) about once every 1 or 2 months. Thanks for taking the time to open the issue! Cheers 🍻 |
This would be very helpful for us as well- trying multiple identities in the agent is the default behavior if you just use |
@DjLogozzo As a temporary workaround, a configuration like this works quite well!
This falls back to what's essentially a "no-op" ProxyCommand if |
Yay! 🎉 I'm glad it helped! |
Hello!
Issue details
When attempting to SSH into a server that has been setup for SSH Certificate Authentication, with a client that has been setup for SSH Certificate Authentication (ie:
step ssh config
), it no longer becomes possible to login to accounts not in your principal, eg: break-glass accounts, using the hostname.We are currently able to bypass this issue by directly using the IP of the server when running the SSH command, as this does not trigger the
step ssh check-host
command in the default SSH config template, but this feels like a hacky workaround.A better solution would be to allow
step ssh proxycommand
to fallthrough to basic SSH auth if the user is not in the principal of the certificate. Possibly as an argument that can be embedded in the config template so it is not default behaviour.Why is this needed?
It would allow users to login to break-glass, shared, or external auth (ie: LDAP) accounts without resorting to tricks to get around the
step ssh check-host
check.I haven't tested this usecase, but I also believe it would be useful for scenarios where the CA is down, but the user still needs to login to the server (possibly to fix the issue of the CA being down lol)
Info about our setup
We currently have our servers setup for SSO using smallstep CA with Azure as the OpenID provider (following this guide).
The text was updated successfully, but these errors were encountered: