initial playing around

Brian McCallister · Brian McCallister · commit 22b8941fb786 · 2019-10-13T11:53:58.000-07:00
diff --git a/README.md b/README.md
@@ -1 +1,45 @@
-# epithet
+# epithet makes secure ssh certificate AAA easy
+
+## Authentication
+
+Short lived SSH certs.
+
+What is short-live default? 10 minutes, 1 hour? How do we arrive at a sound number rather than a "this sounds good"?
+
+How do we authenticate to the CA service? This seems like it should be pluggable (SAML, OAuth, OpenID)
+
+## Authorization
+
+By principals-as-groups rather than principals-as-people.
+
+How much should we care about individuals vs groups? My tendency is to steer to principal being the group not the individual, then manage who is in what group in the cert generating machinery. 
+
+## Accounting (Auditing)
+
+Use cert ID to know who did what.
+
+[Facebook style](https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/) ssh handling seems to take this approach. 
+
+# Login Mechanism
+
+How do we make sure ssh sends the right cert?
+
+We have a couple options, either one implies we authenticate to a local agent, which is granted credentials to communicate with the CA to obtain short lived certificates. We must never *trust* the agent to do more than obtain certs on behalf of the person whom it has credentials for -- ie, it must never get the CA private key.
+
+## Option: custom ssh-agent and `IdentityAgent` directives on host patterns
+
+No interest in replacing default openssh ssh-agent, but you can specify a different one for a host block in config. I don't know if there is a mechanism to launch it if missing, but worst case we need to start a daemon.
+
+We then need to have a communication channel between that agent and the CA which we trust. It seems like starting the agent explicitely and doing an auth dance (CLI saml with okta, pop a web browser, etc) that tells the CA to trust the agent can work. Implies we could use short lived TLS certs for Agent -> CA, though this may be overthinking it.
+
+## Option: daemon generate cert file
+
+Instead of asking the agent for the cert, just update contents of `~/.ssh/` to replace a named certificate. A drawback here is that we don't know when it is being used, so refreshing it will need to be out of band.
+
+This feels like it would be faster to start with, but more limited than having an agent proper.
+
+
+# "Installation"
+
+Seems critical that an installation needs to run its own CA for security, so we need to make CA setup process as one-click as we can. For v1, seems fine to assume AWS will host, but am sure by v7 we will need to not care, so don't make decisions that lock us in to a single infra, but don't worry about supporting multiple infrastructures yet.
+
diff --git a/agent/main.go b/agent/main.go
@@ -0,0 +1,62 @@
+package main
+
+import (
+	"fmt"
+	"net"
+
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+)
+
+func main() {
+	pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(pubCert))
+	if err != nil {
+		panic(err)
+	}
+	cert, ok := pk.(*ssh.Certificate)
+	if !ok {
+		panic("not a certificate!")
+	}
+
+	priv, err := ssh.ParseRawPrivateKey([]byte(privateKey))
+	if err != nil {
+		panic(err)
+	}
+
+	keyring := agent.NewKeyring()
+	keyring.Add(agent.AddedKey{
+		PrivateKey:  priv,
+		Certificate: cert,
+	})
+
+	path := "/tmp/epithet-agent"
+
+	sock, err := net.Listen("unix", path)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println("export SSH_AUTH_SOCK=/tmp/epithet-agent")
+	for {
+		conn, err := sock.Accept()
+		if err != nil {
+			panic(err)
+		}
+		go func() {
+			err := agent.ServeAgent(keyring, conn)
+			if err != nil {
+				panic(err)
+			}
+		}()
+	}
+}
+
+const privateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD+94OTJVooGNj9LO4lPwobX9zIvisccuNeTpBMsQO+UgAAAJjcBY813AWP
+NQAAAAtzc2gtZWQyNTUxOQAAACD+94OTJVooGNj9LO4lPwobX9zIvisccuNeTpBMsQO+Ug
+AAAEC6GR1iGMhzhphbnsAIN44Wpn8AZzAQTWh/gdHaKzfOg/73g5MlWigY2P0s7iU/Chtf
+3Mi+Kxxy415OkEyxA75SAAAAD2JyaWFubW5Ac2N1ZmZpbgECAwQFBg==
+-----END OPENSSH PRIVATE KEY-----`
+
+const pubCert = `ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAID4AIPoWH60yQ3Ay6V9oYBBALFVszirLToisufG6hGaLAAAAIP73g5MlWigY2P0s7iU/Chtf3Mi+Kxxy415OkEyxA75SAAAAAAAAAAAAAAABAAAABmJyaWFubQAAAAoAAAAGYnJpYW5tAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDNH7zWoDN/0GHOqMq8E4l0xehxI4bqcqp4FmjMoGp1gb1VYl+G/KWoRufzamCvVvX37oGfTlIi/0wW/mCFPtVv9Dg6nWGVRz6rECv4hjF4TcxgXIXbVLw70Lwy0FNhc9bX13D+4Z8UkaP94c0s79nbtfW7w82jvnCXwWYh9odr+PX9tSZOCJvWgoGd0/pMbyLp/7EapGByu+fxqx4Xyb89RVtCpBBZrZ7xOqPV5wD5BjHfrCREqcdeV8jzzQkxDUclPjbFga4WWUMEFz3lr8b14yPl0m5ANCRFz2RX7jp8xKiL8gz7V0K37ZX5vHaGgaDHgQbmRvq7BkaGWRYELyzJAAABDwAAAAdzc2gtcnNhAAABALpCd/eBkQig/ap5wCJQEfx9xMhNMPa0Fn4+b2F80dHBKly9xZAM68h/sKIrJZe17xspFbe0gDNs7RkFtBnK6iLG5VZSNIzwsxGJ63J/w1DMrz1t1gJQNCDfzpznNJOc4MhcbF6HdF+kYA11DIN/lST1Th80l7EM9Q4NVChA5J2bDiSUso5oMN+RkUJRiCBjc6UG9BiJt3c3B2cUuvjSEtU/jRrR6sCH+klICOUSsscOToiFxjtsL4wmogMD+TS9e7CpgJBX8cxZP1pZ2bY5qik27llPS1YAtroEbE4OliqZQ35wLqHsmMYYg5LDTFhd+HOu1fGSaemeh92CaGvOyAQ= brianmn@scuffin`
diff --git a/go.mod b/go.mod
@@ -0,0 +1,8 @@
+module github.com/brianm/epithet
+
+go 1.13
+
+require (
+	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
+	golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,10 @@
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191010194322-b09406accb47 h1:/XfQ9z7ib8eEJX2hdgFTZJ/ntt0swNk5oYBziWeTCvY=
+golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/play/PLAY.md b/play/PLAY.md
@@ -0,0 +1,3 @@
+```
+sshd -c cert_file -d -f ./config_file -h ./host_key_file -p $PORT
+```
diff --git a/play/ca/ca b/play/ca/ca
@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEAzR+81qAzf9BhzqjKvBOJdMXocSOG6nKqeBZozKBqdYG9VWJfhvyl
+qEbn82pgr1b19+6Bn05SIv9MFv5ghT7Vb/Q4Op1hlUc+qxAr+IYxeE3MYFyF21S8O9C8Mt
+BTYXPW19dw/uGfFJGj/eHNLO/Z27X1u8PNo75wl8FmIfaHa/j1/bUmTgib1oKBndP6TG8i
+6f+xGqRgcrvn8aseF8m/PUVbQqQQWa2e8Tqj1ecA+QYx36wkRKnHXlfI880JMQ1HJT42xY
+GuFllDBBc95a/G9eMj5dJuQDQkRc9kV+46fMSoi/IM+1dCt+2V+bx2hoGgx4EG5kb6uwZG
+hlkWBC8syQAAA8DxizNB8YszQQAAAAdzc2gtcnNhAAABAQDNH7zWoDN/0GHOqMq8E4l0xe
+hxI4bqcqp4FmjMoGp1gb1VYl+G/KWoRufzamCvVvX37oGfTlIi/0wW/mCFPtVv9Dg6nWGV
+Rz6rECv4hjF4TcxgXIXbVLw70Lwy0FNhc9bX13D+4Z8UkaP94c0s79nbtfW7w82jvnCXwW
+Yh9odr+PX9tSZOCJvWgoGd0/pMbyLp/7EapGByu+fxqx4Xyb89RVtCpBBZrZ7xOqPV5wD5
+BjHfrCREqcdeV8jzzQkxDUclPjbFga4WWUMEFz3lr8b14yPl0m5ANCRFz2RX7jp8xKiL8g
+z7V0K37ZX5vHaGgaDHgQbmRvq7BkaGWRYELyzJAAAAAwEAAQAAAQEAx28PJEG4MJIDNnHI
+Q1pfb8in+bCIEVSRR5bKKAHj4AHXerfdlxn3WoguJu2LuY68MWWUY7Y7h8leSpDieUqhLG
+tvbBXudbxCQwHDLqwSVxyVFC+A+cIGDcYh5OnF199PyKWwODBXgiEkJ8ituv4sfEEK/Zcf
+Tg/v2qxvx5+xBRjZOMclfhFvtv+QxsE+yFH9+KZvrtv0GsEHTnCD1FsY1Vh6vZhBBjFNFo
+JtKw5KIiXGdmMv9s6cUT4DClG31M2QnvbppQhLrxxdLAGTB0Dr7ldtBZdauhKhPo1TaJMg
+3EQZ7IYoyBeCedOagAKb0GW68FW0Tmy73HaRfU8dZgnaDQAAAIAncC8GP72UgX7zxJ19Go
+/tpmKyQvtrOjtmZAja0/y+bePYwHllvTfPLEo5NOeiLv8fDTTIPETUMmihywstyU2TPbWq
+pgRjXCv36QGYlviKfjja1uIwd9KLJRKavI3kp+0uz6ZJFxrez0i7GCR0Tu2rX+RGrjLj2V
+mY+eCroW+y5AAAAIEA5+Hl9hU2Sbx8j6Ohgeyn9eFfVTafRttMg2wMQVNW0MzMj0DibSKT
+Fi55TwSANSXMQ/uL3eW6ZcHcxKQCxT2KzTz7QiR3qE2uad9EQx3N6XWKxDoPlDgrlUktcH
+nYy4rmJe7HVL7FpBuFUxsfrlgVclrxClA/lZq8mP9CutlZBYcAAACBAOJ1XnwElJpDxwWY
+HEM250mpK26m4oxkjBMIx/lLC1DST+vMU2k/N801xi6Rb1MravliiuK0jHZlJO4DL816GV
+lTe2/oE0W4DNt/J1ypylVLVL2E2EKqQqHbYmXQ87EFdp8OanAu6F29pRdKstTbYkGk6lET
+lYB3IqmowLJ7ac8vAAAAB3VzZXItY2EBAgM=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/play/ca/ca.pub b/play/ca/ca.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNH7zWoDN/0GHOqMq8E4l0xehxI4bqcqp4FmjMoGp1gb1VYl+G/KWoRufzamCvVvX37oGfTlIi/0wW/mCFPtVv9Dg6nWGVRz6rECv4hjF4TcxgXIXbVLw70Lwy0FNhc9bX13D+4Z8UkaP94c0s79nbtfW7w82jvnCXwWYh9odr+PX9tSZOCJvWgoGd0/pMbyLp/7EapGByu+fxqx4Xyb89RVtCpBBZrZ7xOqPV5wD5BjHfrCREqcdeV8jzzQkxDUclPjbFga4WWUMEFz3lr8b14yPl0m5ANCRFz2RX7jp8xKiL8gz7V0K37ZX5vHaGgaDHgQbmRvq7BkaGWRYELyzJ user-ca
diff --git a/play/server/Dockerfile b/play/server/Dockerfile
@@ -0,0 +1,12 @@
+FROM eg_sshd:1
+
+RUN mkdir /etc/ssh/auth_principals
+RUN chmod 0755 /etc/ssh/auth_principals
+
+COPY ca.pub /etc/ssh/ca.pub
+COPY sshd_config /etc/ssh/sshd_config
+COPY auth_principals/* /etc/ssh/auth_principals/
+RUN chmod 0644 /etc/ssh/sshd_config /etc/ssh/ca.pub
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-d"]
diff --git a/play/server/Makefile b/play/server/Makefile
@@ -0,0 +1,13 @@
+TMP := "/srv/epithet-server"
+
+.PHONY: server
+server: prep
+	sudo /usr/sbin/sshd -f $(TMP)/sshd_config -d
+ 
+prep:
+	sudo rm -rf $(TMP)
+	sudo mkdir -p $(TMP)
+	sudo chmod 0700 $(TMP)
+	sudo cp -r * $(TMP)/
+	sudo find $(TMP) -type d -exec chmod 0700 {} \;
+	sudo find $(TMP) -type f -exec chmod 0700 {} \;
diff --git a/play/server/auth_principals/root b/play/server/auth_principals/root
@@ -0,0 +1 @@
+brianm
diff --git a/play/server/ca.pub b/play/server/ca.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNH7zWoDN/0GHOqMq8E4l0xehxI4bqcqp4FmjMoGp1gb1VYl+G/KWoRufzamCvVvX37oGfTlIi/0wW/mCFPtVv9Dg6nWGVRz6rECv4hjF4TcxgXIXbVLw70Lwy0FNhc9bX13D+4Z8UkaP94c0s79nbtfW7w82jvnCXwWYh9odr+PX9tSZOCJvWgoGd0/pMbyLp/7EapGByu+fxqx4Xyb89RVtCpBBZrZ7xOqPV5wD5BjHfrCREqcdeV8jzzQkxDUclPjbFga4WWUMEFz3lr8b14yPl0m5ANCRFz2RX7jp8xKiL8gz7V0K37ZX5vHaGgaDHgQbmRvq7BkaGWRYELyzJ user-ca
diff --git a/play/server/ssh_Dockerfile b/play/server/ssh_Dockerfile
@@ -0,0 +1,16 @@
+FROM ubuntu:16.04
+
+RUN apt-get update && apt-get install -y openssh-server
+# RUN apt-get install -y openssh-server
+RUN mkdir /var/run/sshd
+RUN echo 'root:waffle' | chpasswd
+RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+
+# SSH login fix. Otherwise user is kicked off after login
+RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
+
+ENV NOTVISIBLE "in users profile"
+RUN echo "export VISIBLE=now" >> /etc/profile
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/play/server/ssh_host_ed25519_key b/play/server/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDOZ6aJojZevAt5qhGNiFqNfH5PsxJVwxEoSpvXu+OfvAAAAJiP3wAsj98A
+LAAAAAtzc2gtZWQyNTUxOQAAACDOZ6aJojZevAt5qhGNiFqNfH5PsxJVwxEoSpvXu+OfvA
+AAAECmo1i88MicUhZLmHvzcNccSKQWZwrGiUf0ZybMxbizpM5npomiNl68C3mqEY2IWo18
+fk+zElXDEShKm9e745+8AAAADmJyaWFubUBzY3VmZmluAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/play/server/ssh_host_ed25519_key-cert.pub b/play/server/ssh_host_ed25519_key-cert.pub
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHEcYh30rhphz3cRgyEaLhIzlbS6hAQAzRnCBeByc26KAAAAIM5npomiNl68C3mqEY2IWo18fk+zElXDEShKm9e745+8AAAAAAAAAAAAAAACAAAAB3NjdWZmaW4AAAAAAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBAM0fvNagM3/QYc6oyrwTiXTF6HEjhupyqngWaMyganWBvVViX4b8pahG5/NqYK9W9ffugZ9OUiL/TBb+YIU+1W/0ODqdYZVHPqsQK/iGMXhNzGBchdtUvDvQvDLQU2Fz1tfXcP7hnxSRo/3hzSzv2du19bvDzaO+cJfBZiH2h2v49f21Jk4Im9aCgZ3T+kxvIun/sRqkYHK75/GrHhfJvz1FW0KkEFmtnvE6o9XnAPkGMd+sJESpx15XyPPNCTENRyU+NsWBrhZZQwQXPeWvxvXjI+XSbkA0JEXPZFfuOnzEqIvyDPtXQrftlfm8doaBoMeBBuZG+rsGRoZZFgQvLMkAAAEPAAAAB3NzaC1yc2EAAAEAXz3FsJzreKylJ6aUeHtMhFxkwRqGx96QrnwV9NznoXTBWStJ3OWKA8mkCNlVgqd8RiyEK7WqeQMr/6OpE1zRm6a6WO/Tvfd0r25gES0BB1YBBHlumoL6uUj7L4XTy40byfgAX1xa7QhhvgLkD/IS3IwXSYrXd+VD7i2bWK9bx0hg1R8St9QOJXKHcY2z3TbDvQl4JYLsgKFiBsgPbjsXqr3YPCkCOdQYq1DRJHQC8+o9XRkVN7yoZ7HFBLS1fPyc3KdrcNnMTd7YboKtwJJD5Fpk64wTeO0G63D0tPX/NqVGqUsgI/Z6hz18NZ4rue1RYPKEVpBv/0uXYfJG3GvV1Q== brianm@scuffin
diff --git a/play/server/ssh_host_ed25519_key.pub b/play/server/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5npomiNl68C3mqEY2IWo18fk+zElXDEShKm9e745+8 brianm@scuffin
diff --git a/play/server/sshd_config b/play/server/sshd_config
@@ -0,0 +1,21 @@
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+IgnoreRhosts yes
+TCPKeepAlive yes
+AcceptEnv LANG LC_*
+UsePAM no
+
+TrustedUserCAKeys /etc/ssh/ca.pub
+AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
diff --git a/play/user/ca.pub b/play/user/ca.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNH7zWoDN/0GHOqMq8E4l0xehxI4bqcqp4FmjMoGp1gb1VYl+G/KWoRufzamCvVvX37oGfTlIi/0wW/mCFPtVv9Dg6nWGVRz6rECv4hjF4TcxgXIXbVLw70Lwy0FNhc9bX13D+4Z8UkaP94c0s79nbtfW7w82jvnCXwWYh9odr+PX9tSZOCJvWgoGd0/pMbyLp/7EapGByu+fxqx4Xyb89RVtCpBBZrZ7xOqPV5wD5BjHfrCREqcdeV8jzzQkxDUclPjbFga4WWUMEFz3lr8b14yPl0m5ANCRFz2RX7jp8xKiL8gz7V0K37ZX5vHaGgaDHgQbmRvq7BkaGWRYELyzJ user-ca
diff --git a/play/user/id_ed25519 b/play/user/id_ed25519
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD+94OTJVooGNj9LO4lPwobX9zIvisccuNeTpBMsQO+UgAAAJjcBY813AWP
+NQAAAAtzc2gtZWQyNTUxOQAAACD+94OTJVooGNj9LO4lPwobX9zIvisccuNeTpBMsQO+Ug
+AAAEC6GR1iGMhzhphbnsAIN44Wpn8AZzAQTWh/gdHaKzfOg/73g5MlWigY2P0s7iU/Chtf
+3Mi+Kxxy415OkEyxA75SAAAAD2JyaWFubW5Ac2N1ZmZpbgECAwQFBg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/play/user/id_ed25519-cert.pub b/play/user/id_ed25519-cert.pub
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAID4AIPoWH60yQ3Ay6V9oYBBALFVszirLToisufG6hGaLAAAAIP73g5MlWigY2P0s7iU/Chtf3Mi+Kxxy415OkEyxA75SAAAAAAAAAAAAAAABAAAABmJyaWFubQAAAAoAAAAGYnJpYW5tAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDNH7zWoDN/0GHOqMq8E4l0xehxI4bqcqp4FmjMoGp1gb1VYl+G/KWoRufzamCvVvX37oGfTlIi/0wW/mCFPtVv9Dg6nWGVRz6rECv4hjF4TcxgXIXbVLw70Lwy0FNhc9bX13D+4Z8UkaP94c0s79nbtfW7w82jvnCXwWYh9odr+PX9tSZOCJvWgoGd0/pMbyLp/7EapGByu+fxqx4Xyb89RVtCpBBZrZ7xOqPV5wD5BjHfrCREqcdeV8jzzQkxDUclPjbFga4WWUMEFz3lr8b14yPl0m5ANCRFz2RX7jp8xKiL8gz7V0K37ZX5vHaGgaDHgQbmRvq7BkaGWRYELyzJAAABDwAAAAdzc2gtcnNhAAABALpCd/eBkQig/ap5wCJQEfx9xMhNMPa0Fn4+b2F80dHBKly9xZAM68h/sKIrJZe17xspFbe0gDNs7RkFtBnK6iLG5VZSNIzwsxGJ63J/w1DMrz1t1gJQNCDfzpznNJOc4MhcbF6HdF+kYA11DIN/lST1Th80l7EM9Q4NVChA5J2bDiSUso5oMN+RkUJRiCBjc6UG9BiJt3c3B2cUuvjSEtU/jRrR6sCH+klICOUSsscOToiFxjtsL4wmogMD+TS9e7CpgJBX8cxZP1pZ2bY5qik27llPS1YAtroEbE4OliqZQ35wLqHsmMYYg5LDTFhd+HOu1fGSaemeh92CaGvOyAQ= brianmn@scuffin
diff --git a/play/user/id_ed25519.pub b/play/user/id_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP73g5MlWigY2P0s7iU/Chtf3Mi+Kxxy415OkEyxA75S brianmn@scuffin

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```
	`2`	`+sshd -c cert_file -d -f ./config_file -h ./host_key_file -p $PORT`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNH7zWoDN/0GHOqMq8E4l0xehxI4bqcqp4FmjMoGp1gb1VYl+G/KWoRufzamCvVvX37oGfTlIi/0wW/mCFPtVv9Dg6nWGVRz6rECv4hjF4TcxgXIXbVLw70Lwy0FNhc9bX13D+4Z8UkaP94c0s79nbtfW7w82jvnCXwWYh9odr+PX9tSZOCJvWgoGd0/pMbyLp/7EapGByu+fxqx4Xyb89RVtCpBBZrZ7xOqPV5wD5BjHfrCREqcdeV8jzzQkxDUclPjbFga4WWUMEFz3lr8b14yPl0m5ANCRFz2RX7jp8xKiL8gz7V0K37ZX5vHaGgaDHgQbmRvq7BkaGWRYELyzJ user-ca`