Bug 2213349

Summary: [RFE] Allow remote execution to use CA-issued SSH certificates
Product: Red Hat Satellite Reporter: Jessica Richards <jrichards2>
Component: Remote ExecutionAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.11.0CC: aruzicka, dsinglet, rlavi
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jessica Richards 2023-06-07 21:39:49 UTC 
1. Proposed title of this feature request

[RFE] Allow remote execution to use CA-issued SSH certificates

3. What is the nature and description of the request?

The customer would like to use SSH certificates issued by their certificate authority, rather than SSH keys, for remote execution.

4. Why does the customer need this? (List the business requirements here)

They believe that this approach will be more secure than using gpg keys.

5. How would the customer like to achieve this? (List the functional requirements here)

Add fields under Administer > Settings > Remote Execution to specify the path to the SSH certificate, SSH certificate key and certificate authority bundle files.

Add a check-mark box in the "Advanced fields" section of the "Schedule Remote Job" page to allow SSH keys to be used.

Also add corresponding options to the hammer command, and to the REST API.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

no

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

no

9. Is the sales team involved in this request and do they have any additional input?

no

10. List any affected packages or components.

ssh
ansible(?)

11. Would the customer be able to assist in testing this functionality if implemented?

.
Comment 2 Adam Ruzicka 2023-06-08 07:37:00 UTC 
> They believe that this approach will be more secure than using gpg keys.

gpg keys?

> Add fields under Administer > Settings > Remote Execution to specify the path to the SSH certificate, SSH certificate key and certificate authority bundle files.

So there would be a single certificate, key and CA file for the *entire satellite*, shared accross organizations and so on? And when used, contents of those files would be sent over to the capsules?