From 08850d5334980167f520237faf761c9332a16e4a Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Fri, 11 Oct 2019 19:26:59 -0700
Subject: [PATCH] Add support for federated keys.

---
 authority/authority.go |  6 ++++++
 pki/templates.go       | 10 ++++++++--
 templates/values.go    |  6 ++++--
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/authority/authority.go b/authority/authority.go
index 88c829c6..34eee14b 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -195,9 +195,15 @@ func (a *Authority) init() error {
 		if a.config.SSH != nil {
 			if a.sshCAHostCertSignKey != nil {
 				vars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
+				for _, k := range a.sshCAHostFederatedCerts[1:] {
+					vars.SSH.HostFederatedKeys = append(vars.SSH.HostFederatedKeys, k)
+				}
 			}
 			if a.sshCAUserCertSignKey != nil {
 				vars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
+				for _, k := range a.sshCAUserFederatedCerts[1:] {
+					vars.SSH.UserFederatedKeys = append(vars.SSH.UserFederatedKeys, k)
+				}
 			}
 		}
 		t.Data["Step"] = vars
diff --git a/pki/templates.go b/pki/templates.go
index c5789573..99a2ac7d 100644
--- a/pki/templates.go
+++ b/pki/templates.go
@@ -38,7 +38,10 @@ var sshTemplateData = map[string]string{
 	UserKnownHostsFile {{.User.StepPath}}/config/ssh/known_hosts`,
 
 	// known_hosts.tpl authorizes the ssh hosts key
-	"known_hosts.tpl": "@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}}",
+	"known_hosts.tpl": `@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}}
+{{- range .Step.SSH.HostFederatedKeys}}
+@cert-authority * {{.Type}} {{.Marshal | toString | b64enc}}
+{{- end}}`,
 
 	// sshd_config.tpl adds the configuration to support certificates
 	"sshd_config.tpl": `TrustedUserCAKeys /etc/ssh/ca.pub
@@ -46,7 +49,10 @@ HostCertificate /etc/ssh/{{.User.Certificate}}
 HostKey /etc/ssh/{{.User.Key}}`,
 
 	// ca.tpl contains the public key used to authorized clients
-	"ca.tpl": "{{.Step.SSH.UserKey.Type}} {{.Step.SSH.UserKey.Marshal | toString | b64enc}}",
+	"ca.tpl": `{{.Step.SSH.UserKey.Type}} {{.Step.SSH.UserKey.Marshal | toString | b64enc}}
+{{- range .Step.SSH.UserFederatedKeys}}
+{{.Type}} {{.Marshal | toString | b64enc}}
+{{- end}}`,
 }
 
 // getTemplates returns all the templates enabled
diff --git a/templates/values.go b/templates/values.go
index 995c2998..505b3b87 100644
--- a/templates/values.go
+++ b/templates/values.go
@@ -10,6 +10,8 @@ type Step struct {
 }
 
 type StepSSH struct {
-	HostKey ssh.PublicKey
-	UserKey ssh.PublicKey
+	HostKey           ssh.PublicKey
+	UserKey           ssh.PublicKey
+	HostFederatedKeys []ssh.PublicKey
+	UserFederatedKeys []ssh.PublicKey
 }