Add support for certificate auth.

[Koalab99]

---

• I have read the contributing guideline and understand that I have made the correct modifications

---

Description:

Add Trusted User Certificate Authority support. It adds a wrapper around TrustedUserCAKeys, just like PUBLIC_KEY.

Benefits of this PR and context:

It would allow user certificate authentication.

How Has This Been Tested?

# Create temp directory and cd there
cd $(mktemp -d)

# Generate key pairs (x and x.pub)
ssh-keygen -b 4096 -t ed25519 -f ca
ssh-keygen -b 4096 -t ed25519 -f linuxserverio
ssh-keygen -b 4096 -t ed25519 -f inexistant

# Sign users pubkeys (x-cert.pub)
ssh-keygen -s ca -I linuxio_key -n linuxserver.io linuxserverio.pub  
ssh-keygen -s ca -I inexistant_key -n inexistant inexistant.pub  

# Start ssh server with ca certificate
CA=$(cat ca.pub)
docker run -d --rm \
    --name test-ca-auth \
    -e PUID=1000 \
    -e PGID=1000 \
    -e TZ=UTC \
    -e TRUSTED_CA="$CA" \
    -p 2223:2222 \
    linuxserver/openssh-server:localbuild # <--- Change the build tag here

# Test authentication
ssh -p 2223 -i linuxserverio linuxserver.io@127.0.0.1 # Works
ssh -p 2223 -i inexistant inexistant@127.0.0.1 # Permission denied

# Clean container
docker stop test-ca-auth

Source / References:

man 5 sshd_config, keyword "TrustedUserCAKeys":

  TrustedUserCAKeys
          Specifies a file containing public keys of certificate
          authorities that are trusted to sign user certificates for
          authentication, or none to not use one.  Keys are listed
          one per line; empty lines and comments starting with ‘#’
          are allowed.  If a certificate is presented for
          authentication and has its signing CA key listed in this
          file, then it may be used for authentication for any user
          listed in the certificate's principals list.  Note that
          certificates that lack a list of principals will not be
          permitted for authentication using TrustedUserCAKeys.  For
          more details on certificates, see the CERTIFICATES section
          in ssh-keygen(1).

[github-actions]

Thanks for opening this pull request! Be sure to follow the pull request template!

[LinuxServer-CI]

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/openssh-server/10.2_p1-r0-pkg-3843cd92-dev-3455a0cb0e4ef5e900070889ce9b389a43fb0c5c-pr-122/index.html
https://ci-tests.linuxserver.io/lspipepr/openssh-server/10.2_p1-r0-pkg-3843cd92-dev-3455a0cb0e4ef5e900070889ce9b389a43fb0c5c-pr-122/shellcheck-result.xml

Tag	Passed
amd64-10.2_p1-r0-pkg-3843cd92-dev-3455a0cb0e4ef5e900070889ce9b389a43fb0c5c-pr-122	✅
arm64v8-10.2_p1-r0-pkg-3843cd92-dev-3455a0cb0e4ef5e900070889ce9b389a43fb0c5c-pr-122	✅

[aptalca]

Thanks for the PR but that's too many env vars for a feature needed by so few. Plus, one can easily do this manually by dropping the one file into the config folder and editing one line in the sshd config to point to it. That would be persistent.

If you really want automation, then it would be more appropriate to create a docker mod for it: https://mods.linuxserver.io/

[Koalab99]

Thank you for your quick reply, you are right. Would you be interested if I kept only TRUSTED_CA_FILE ? If not, you can close the PR.

I hesitated between a PR and a mod, but since most mods (all of them ?) were adding new packages and this patch was just related to openssh's configuration, it would better fit here. I was wrong, and I get it if it is better as a mod.