Refs #38478 - Introduce SSH CA certificate support

Author: adamlazik1

lib/smart_proxy_remote_execution_ssh.rb

@@ -13,6 +13,18 @@ def validate!
         validate_socket_path!
       end
 
+      def ca_public_key_file
+        File.expand_path(Plugin.settings.ssh_ca_public_key_file)
+      end
+
+      def ca_cert_file
+        File.expand_path(Plugin.settings.ssh_ca_cert_file)
+      end
+
+      def ca_known_hosts_file
+        File.expand_path(Plugin.settings.ssh_ca_known_hosts_file)
+      end
+
       def private_key_file
         File.expand_path(Plugin.settings.ssh_identity_key_file)
       end
@@ -72,6 +84,16 @@ def validate_ssh_settings!
           raise "SSH public key file #{public_key_file} doesn't exist"
         end
 
+        if Plugin.settings.ssh_ca_public_key_file
+          unless File.exist?(ca_public_key_file)
+            raise "SSH CA public key file #{ca_public_key_file} doesn't exist"
+          end
+
+          unless File.exist?(ca_cert_file)
+            raise "SSH CA certificate file #{ca_cert_file} doesn't exist"
+          end
+        end
+
         validate_ssh_log_level!
       end
 

lib/smart_proxy_remote_execution_ssh/api.rb

@@ -9,6 +9,12 @@ class Api < ::Sinatra::Base
       include Sinatra::Authorization::Helpers
       include Proxy::Dynflow::Helpers
 
+      get "/ca_pubkey" do
+        if Ssh.ca_public_key_file
+          File.read(Ssh.ca_public_key_file)
+        end
+      end
+
       get "/pubkey" do
         File.read(Ssh.public_key_file)
       end

lib/smart_proxy_remote_execution_ssh/multiplexed_ssh_connection.rb

@@ -60,6 +60,9 @@ def initialize(options, logger:)
       @host_public_key = options.fetch(:host_public_key, nil)
       @verify_host = options.fetch(:verify_host, nil)
       @client_private_key_file = settings.ssh_identity_key_file
+      @client_ca_known_hosts_file = settings.ssh_ca_known_hosts_file
+      @client_ca_public_key_file = settings.ssh_ca_public_key_file
+      @client_ca_cert_file = settings.ssh_ca_cert_file
 
       @local_working_dir = options.fetch(:local_working_dir, settings.local_working_dir)
       @socket_working_dir = options.fetch(:socket_working_dir, settings.socket_working_dir)
@@ -154,9 +157,14 @@ def establish_ssh_options
       ssh_options << "-o User=#{@ssh_user}"
       ssh_options << "-o Port=#{@ssh_port}" if @ssh_port
       ssh_options << "-o IdentityFile=#{@client_private_key_file}" if @client_private_key_file
+      ssh_options << "-o CertificateFile=#{@client_ca_cert_file}" if @client_ca_cert_file
       ssh_options << "-o IdentitiesOnly=yes"
       ssh_options << "-o StrictHostKeyChecking=accept-new"
-      ssh_options << "-o UserKnownHostsFile=#{prepare_known_hosts}" if @host_public_key
+      if @host_public_key
+        ssh_options << "-o UserKnownHostsFile=#{prepare_known_hosts}"
+      elsif @client_ca_known_hosts_file
+        ssh_options << "-o UserKnownHostsFile=#{@client_ca_known_hosts_file}"
+      end
       ssh_options << "-o LogLevel=#{ssh_log_level(true)}"
       ssh_options << "-o ControlMaster=auto"
       ssh_options << "-o ControlPath=#{socket_file}"

lib/smart_proxy_remote_execution_ssh/plugin.rb

@@ -12,6 +12,9 @@ class Plugin < Proxy::Plugin
 
     settings_file "remote_execution_ssh.yml"
     default_settings :ssh_identity_key_file   => '~/.ssh/id_rsa_foreman_proxy',
+                     :ssh_ca_known_hosts_file => '~/.ssh/ca_known_hosts',
+                     # :ssh_ca_public_key_file  => nil,
+                     # :ssh_ca_cert_file        => nil,
                      :ssh_user                => 'root',
                      :remote_working_dir      => '/var/tmp',
                      :local_working_dir       => '/var/tmp',