The *sshca-cli* RPM package can be used to install the SSHCA CLI client
on Fedora (and other RPM-based distributions). The `.spec` file was
originally generated using [rust2rpm], but several manual modifications
were required. Notably, the script does not generate `BuildRequres`
tags when run in "vendored" mode (i.e. third-party crate sources are
included in the source RPM package instead of packaged as separate
RPMS).
The CLI tool will be the primary method for interacting with the SSH CA
service. For now, it supports a single operation: `sshca-cli host
sign`, which requests a certificate to be signed by the CA service.`
I realized that allowing hosts to request certificates for arbitrary
aliases sort of defeats the purpose of the authentication process. If a
host successfully authenticates, there would be nothing stopping it from
requesting a certificate for another host. I will have to come up with
a different way of specifying aliases. Probably something like a JSON
map containing pre-assigned aliases for hosts that will need them.
Since hosts have multiple keys that they will want to have signed, they
will need to make multiple requests, either sequentially or in parallel.
Since each request must be authenticated individually, this would result
in a libvirt connection and lookup for each one. To avoid this
overhead, the server will now cache machine IDs in memory for 60
seconds.
Dustin