From 7d670b20eaad043c81e48b3805849f4dea36118c Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Mon, 29 Jul 2019 17:54:38 -0700
Subject: [PATCH] Add support of ssh host certinficates in AWS provisioner.

---
 authority/provisioner/aws.go | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index 738a2d33..03a0747e 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -441,5 +441,27 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
 
 // authorizeSSHSign returns the list of SignOption for a SignSSH request.
 func (p *AWS) authorizeSSHSign(claims *awsPayload) ([]SignOption, error) {
-	return nil, nil
+	doc := claims.document
+
+	signOptions := []SignOption{
+		// set the key id to the token subject
+		sshCertificateKeyIDModifier(claims.Subject),
+	}
+
+	signOptions = append(signOptions, &sshCertificateOptionsValidator{&SSHOptions{
+		CertType: SSHHostCert,
+		Principals: []string{
+			doc.PrivateIP,
+			fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
+		},
+	}})
+
+	return append(signOptions,
+		// set the default extensions
+		&sshDefaultExtensionModifier{},
+		// checks the validity bounds, and set the validity if has not been set
+		&sshCertificateValidityModifier{p.claimer},
+		// require all the fields in the SSH certificate
+		&sshCertificateDefaultValidator{},
+	), nil
 }