Not allowed to sign ssh host cert error

[lukasz-lobocki]

Issue

When I request ssh host certificate:

step ssh certificate --host --not-after=3h --provisioner=Main temp-id temp-file

I get the following error:

authority.SignSSH: error creating ssh certificate

and I need help to get around that. Would you be so kind?

Log

My log says:

step-ca[2125540]:
{"duration":"43.443091ms","duration-ns":43443091,"error":"authority not allowed to sign ssh host certificates"...

Config

My main provisioner is configured like this:

{
        "type": "JWK",
        "name": "Main",
        "key": {
            "use": "sig",
            "kty": "EC",
            "kid": "6Q6qez...",
            "crv": "P-256",
            "alg": "ES256",
            "x": "7oMObt...",
            "y": "GxPXn4..."
        },
        "encryptedKey": "eyJhbG...",
        "claims": {
            "maxTLSCertDuration": "4368h0...",
            "defaultTLSCertDuration": "168h0m...",
            "maxUserSSHCertDuration": "168h0m...",
            "defaultUserSSHCertDuration": "48h0m0...",
            "maxHostSSHCertDuration": "1680h0...",
            "defaultHostSSHCertDuration": "336h0m...",
            "enableSSHCA": true,
            "disableRenewal": false,
            "allowRenewalAfterExpiry": false,
            "disableSmallstepExtensions": false
        },
        "options": {
            "x509": {
                "template": "===redacted==="
            },
            "ssh": {}
        }
    },

And I have those in ca.json:

"ssh": {
    "hostKey": "/etc/step-ca/secrets/ssh-host-ca-key",
    "userKey": "/etc/step-ca/secrets/ssh-user-ca-key"
  },

Other

When I was initiating the ca I did not use --ssh flag. However later I issued step ca provisioner update Main --ssh=true command.

[lukasz-lobocki]

Answer to myself, from SSH Policies

If a policy has rules for user certificates and no rule for host certificates, host certificates will be denied. The same is true in case there are rules for host certificates and none for user certificates: a user certificate will then always be denied.

[hslatman]

Hey @lukasz-lobocki, great that you found the issue. I didn't see you have an SSH user policy configured, but I suppose it's there in your authority config. I can have a look at clarifying that error message, as right now the only way to find the actual cause is to read the source.