SSH CA Setup in AWS - Permission Denied (Public Key) Issue

[muhammednihal05]

I implemented an SSH Certificate Authority (CA) and configured a target host in AWS using the steps outlined in this Smallstep blog post.

Everything went smoothly:

• The CA server is up and running.
• The target host is correctly configured to verify user certificates as mentioned in the blog.
• I bootstrapped the CA on my local system.
• I obtained a user certificate using the SSO flow.
• The certificate was successfully added to the local SSH agent.
• I configured SSH using step ssh config.

However, when attempting to SSH into the target host, I encounter the following error:
Permission denied (publickey).

All setup steps were followed exactly as described in the documentation. If you wish to reproduce the issue, simply follow the guide—I have not made any modifications beyond what is documented.

Any insights into what might be causing this issue would be greatly appreciated.

Steps to Reproduce:

1. Follow the blog post to set up the CA and target host.
2. Bootstrap the CA on a local machine.
3. Obtain a user certificate via SSO.
4. Ensure the certificate is added to the SSH agent.
5. Attempt to SSH into the target host.

Would appreciate any guidance on resolving this.

Thanks!

[hslatman]

Can you try setting an IdentityFile for the host you're trying to SSH to? It sounds like the order of authentication methods doesn't prefer the SSH certificate, or it may be trying to use an identity that's (only) in a key file not linked to the certificate. Using the IdentitiesOnly option might also help. You would put something like this in your ~/.ssh/config:

Host test test.example.com
  Hostname test.example.com
  IdentityFile ~/.ssh/id_ecdsa-cert.pub
  IdentitiesOnly yes

You can also try running ssh with -v, which should provide you with more debug logs. You can combine it with -T to test your connection, e.g. ssh -Tv user@test.example.com. You could also try changing the log level on your SSH server.