Open
Description
What would you like to be added
I would love to have some kind of hardware binding to secure the credentials being used by smallstep CLI.
e.g. for the SSH certificate signing, it would be great if we could re-use the SSH credentials on the YubiKey instead of generating one on the filesystem where they can be stolen by a malicious actor.
http://github.com/go-piv/piv-go is a great project to easily setup and access YubiKey PIV keys.
I've posted a YubiKey example here: https://gist.github.com/hazcod/59af44bc4ad88b43e035ba54ed010c81
Why this is needed
Further secure the credentials being generated by step
with a hardware binding.
Activity
maraino commentedon Aug 4, 2021
Hi @hazcod, this feature is in our roadmap, and the code blocks are already in place, step-ca has an interface named
kms.KeyManager
that's implemented with support for Yubikey, PKCS#11 and some popular cloud key managers like AWS's KMS, Google's Cloud KMS.That interface has methods to create keys in yubikey, as well as read the public key and do sign operations.
hazcod commentedon Sep 29, 2021
@maraino FYI I meant the smallstep CLI, not the step-ca.
(not storing the temporary tokens on-disk)
maraino commentedon Sep 29, 2021
@hazcod I meant that we will use the interface that we have in
step-ca
in thestep
cli.baloo commentedon Nov 3, 2021
@maraino so the certificate would need to be provided to the pkcs11 provider before being loaded by the ssh-agent. And this is why it needs to rely on the
KeyManager
here.Am I reading this correctly?
hongkongkiwi commentedon Nov 15, 2021
I also need this functionality, I want to use this command:
step certificate create --profile root-ca --template root.tpl \ "My Root CA" root_ca.crt "pkcs11:mytoken"
I would expect this to work, instead of specifying files each time for key, I should be able to specify a pkcs11 url instead.
maraino commentedon Nov 15, 2021
@baloo, @hongkongkiwi we will add support for
step certificate create
,step certificate sign
, andstep ca init
at some point, but this is not a priority for us right now, and is not a simple task. We will also add support for other commands, but the ones above will come first.We have provided little programs that you can modify to get this working, the specific one for YubiKey is here. Modifying it to add custom attributes in the subject or even custom extensions should not be that hard.
Unfortunately, that script one does not have support for SSH, but that part is not difficult to do, as we now support the required key management slots too. I will accept a PR that modifies that script with an
--ssh
flag to enable the creation of a key to sign host certificates and another to sign user certificates, as well as--ssh-host-slot
and--ssh-user-slot
to define the slots were we want to add the keys. You can look at step-pcks11-init that shows you how to create a key using the key manager for ssh.I'll try to add SSH support for that script soon if we don't get a PR first.
And for SSH, once you have an SSH-CA configured, you can sign keys that require a YubiKey too:
To use that certificate with ssh you will need to have your key connected and tap it.
hongkongkiwi commentedon Nov 16, 2021
Thanks for the detailed explanation. As my usage is a bit more generic than Yubikey, I created a separate issue here #583 to keep it simple.