Tls_self_signed_cert - how to output in the correct format for /etc/ssh/ssh_known_hosts

I’m wondering how to take the output of this resource and add it to /etc/ssh/ssh_known_hosts, and also ensure the format is compatible for TrustedUserCAKeys in /etc/ssh/sshd_config

Using an output var like tls_locally_signed_cert.my_cert.cert_pem this produces a multiline format certificate unsuitable to add to /etc/ssh/ssh_known_hosts with @cert-authority

If you have any pointers I’d much appreciate it!

I generate it this way:

A better way and what I may do (once the metadata agent support ipv6 only nodes) is to push the public key to a metadata value and fetch it using terraform when writing the known_hosts file.

I’ve just realised that this whole process is for TLS/HTTPS and not SSH Certificates, which explains why the format is wrong, So I was getting mixed up with two different incompatible processes.

Hi @queglay,

It’s true that the tls provider is primarily for dealing with TLS-related concerns, although it does already have one small adaptation to allow using it with OpenSSH’s cryptography: the tls_private_key resource type has a public_key_openssh. That represents the same data as public_key_pem, but it’s formatted in the shape OpenSSH expects to see in .ssh/authorized_keys.

I’m not super familiar with OpenSSH’s certificate-based authentication, but if it has a similar characteristic of just being a non-standard serialization of the same underlying data structures that TLS uses then in principle resources like tls_self_signed_cert could also produce the OpenSSH syntax alongside the PEM syntax.

I’m not certain of how much work that would take or what exactly it would look like, but if it sounds promising and you have the time/motivation to help with some design and/or implementation work for it then we could get that discussion started in a feature request issue in the hashicorp/tls provider repository.

1 Like

Oh that is pretty cool! Thanks for revealing that ability for the public key at least… Upon thinking about it further, if I can’t do something like encrypt it with a kms key in the state file, I probably should do it outside of terraform… or is that also possible?