Merge pull request #534 from smallstep/match-all

Update sshd_config.tpl to a Match all block.

authority/ssh_test.go

@@ -450,7 +450,7 @@ func TestAuthority_GetSSHConfig(t *testing.T) {
 		{Name: "config.tpl", Type: templates.File, Comment: "#", Path: "ssh/config", Content: []byte("Match exec \"step ssh check-host %h\"\n\tUserKnownHostsFile /home/user/.step/ssh/known_hosts\n\tProxyCommand step ssh proxycommand %r %h %p\n")},
 	}
 	hostOutputWithUserData := []templates.Output{
-		{Name: "sshd_config.tpl", Type: templates.File, Comment: "#", Path: "/etc/ssh/sshd_config", Content: []byte("TrustedUserCAKeys /etc/ssh/ca.pub\nHostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub\nHostKey /etc/ssh/ssh_host_ecdsa_key")},
+		{Name: "sshd_config.tpl", Type: templates.File, Comment: "#", Path: "/etc/ssh/sshd_config", Content: []byte("Match all\n\tTrustedUserCAKeys /etc/ssh/ca.pub\n\tHostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub\n\tHostKey /etc/ssh/ssh_host_ecdsa_key")},
 	}
 
 	tmplConfigErr := &templates.Templates{

authority/testdata/templates/sshd_config.tpl

@@ -1,3 +1,4 @@
-TrustedUserCAKeys /etc/ssh/ca.pub
+Match all
-HostCertificate /etc/ssh/{{.User.Certificate}}
+	TrustedUserCAKeys /etc/ssh/ca.pub
-HostKey /etc/ssh/{{.User.Key}}
+	HostCertificate /etc/ssh/{{.User.Certificate}}
+	HostKey /etc/ssh/{{.User.Key}}

templates/values.go

@@ -99,9 +99,10 @@ var DefaultSSHTemplateData = map[string]string{
 `,
 
 	// sshd_config.tpl adds the configuration to support certificates
-	"sshd_config.tpl": `TrustedUserCAKeys /etc/ssh/ca.pub
+	"sshd_config.tpl": `Match all
-HostCertificate /etc/ssh/{{.User.Certificate}}
+	TrustedUserCAKeys /etc/ssh/ca.pub
-HostKey /etc/ssh/{{.User.Key}}`,
+	HostCertificate /etc/ssh/{{.User.Certificate}}
+	HostKey /etc/ssh/{{.User.Key}}`,
 
 	// ca.tpl contains the public key used to authorized clients
 	"ca.tpl": `{{.Step.SSH.UserKey.Type}} {{.Step.SSH.UserKey.Marshal | toString | b64enc}}