Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When attempting to SSH into a server that has been setup for SSH Certificate Authentication, with a client that has been setup for SSH Certificate Authentication (ie: step ssh config), it no longer becomes possible to login to accounts not in your principal, eg: break-glass accounts, using the hostname.

We are currently able to bypass this issue by directly using the IP of the server when running the SSH command, as this does not trigger the step ssh check-host command in the default SSH config template, but this feels like a hacky workaround.

A better solution would be to allow step ssh proxycommand to fallthrough to basic SSH auth if the user is not in the principal of the certificate. Possibly as an argument that can be embedded in the config template so it is not default behaviour.

Why is this needed?

It would allow users to login to break-glass, shared, or external auth (ie: LDAP) accounts without resorting to tricks to get around the step ssh check-host check.

I haven't tested this usecase, but I also believe it would be useful for scenarios where the CA is down, but the user still needs to login to the server (possibly to fix the issue of the CA being down lol)

Info about our setup

We currently have our servers setup for SSO using smallstep CA with Azure as the OpenID provider (following this guide).