From 8d3073d3dc6df398d761677c2a7eedba0575715c Mon Sep 17 00:00:00 2001 From: David Cowden Date: Thu, 26 Mar 2020 17:19:53 -0700 Subject: [PATCH] ssh/certificate: Generate a random UUID by default Apparently some images don't properly handle the machine-id and it ends up not being unique. By default play it safe and generate our own UUID. Deriving a UUID from `/etc/machine-id` is still supported. To trigger that behavior, pass 'machine' as the `--host-id` flag. --- command/ssh/certificate.go | 27 +++++++++++++++++++++++---- command/ssh/ssh.go | 5 +++-- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/command/ssh/certificate.go b/command/ssh/certificate.go index 1b4e207f..fadac3e7 100644 --- a/command/ssh/certificate.go +++ b/command/ssh/certificate.go @@ -120,6 +120,19 @@ $ step ssh certificate --host --sign \ internal.example.com ssh_host_ecdsa_key.pub ''' +Sign an SSH public key and generate a host certificate with a custom uuid: +''' +$ step ssh certificate --host --host-id 00000000-0000-0000-0000-000000000000 \ + --sign internal.example.com ssh_host_ecdsa_key.pub +''' + +Sign an SSH public key and generate a host certificate with a uuid derived +from '/etc/machine-id': +''' +$ step ssh certificate --host --host-id machine --sign \ + internal.example.com ssh_host_ecdsa_key.pub +''' + Generate an ssh certificate with custom principals from an existing key pair and add the certificate to the ssh agent: ''' @@ -268,15 +281,21 @@ func certificateAction(ctx *cli.Context) error { // All host identity certs need a URI SAN to work with our ssh API. if isHost { var u = uuid.Nil - if hostID == "" { + switch hostID { + case "": + u, err = uuid.NewRandom() + if err != nil { + return errs.Wrap(err, "Unable to generate a host-id.") + } + case "machine": u, err = deriveMachineID() if err != nil { - return errs.Wrap(err, "Unable to derive a host-id. Make sure /etc/machine-id exists or pass an explicit id with --host-id.") + return errs.Wrap(err, "Unable to derive a host-id. Make sure /etc/machine-id exists.") } - } else { + default: u, err = uuid.Parse(hostID) if err != nil { - return errs.InvalidFlagValue(ctx, sshHostIDFlag.Name, hostID, "") + return errs.InvalidFlagValue(ctx, sshHostIDFlag.Name, hostID, "[ machine | ]") } } uri, err := url.Parse(u.URN()) diff --git a/command/ssh/ssh.go b/command/ssh/ssh.go index 5fd553a3..e1cd8ed0 100644 --- a/command/ssh/ssh.go +++ b/command/ssh/ssh.go @@ -114,8 +114,9 @@ var ( } sshHostIDFlag = cli.StringFlag{ - Name: "host-id", - Usage: `Specify a to identify the host rather than using an auto-generated UUID derived from the machine-id.`, + Name: "host-id", + Usage: `Specify a to identify the host rather than using an auto-generated UUID. + If "machine" is passed, derive a UUID from "/etc/machine-id."`, } sshSignFlag = cli.BoolFlag{