endpoint just to get ca pub key

2026-01-06 22:23:53 -05:00 · 2025-12-19 14:48:11 -05:00
parent d5e766b0d6
commit 22e75002e6
3 changed files with 39 additions and 1 deletions
--- a/backend/src/ee/routes/v1/pam-resource-routers/index.ts
+++ b/backend/src/ee/routes/v1/pam-resource-routers/index.ts
@@ -25,7 +25,11 @@ import {
  UpdateSSHResourceSchema
 } from "@app/ee/services/pam-resource/ssh/ssh-resource-schemas";

-import { registerPamResourceEndpoints, registerSshCaSetupEndpoint } from "./pam-resource-endpoints";
+import {
+  registerPamResourceEndpoints,
+  registerSshCaPublicKeyEndpoint,
+  registerSshCaSetupEndpoint
+} from "./pam-resource-endpoints";

 export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: FastifyZodProvider) => Promise<void>> = {
  [PamResource.Postgres]: async (server: FastifyZodProvider) => {
@@ -54,6 +58,7 @@ export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: Fast
      createResourceSchema: CreateSSHResourceSchema,
      updateResourceSchema: UpdateSSHResourceSchema
    });
+    registerSshCaPublicKeyEndpoint(server);
    registerSshCaSetupEndpoint(server);
  },
  [PamResource.Kubernetes]: async (server: FastifyZodProvider) => {
--- a/backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
+++ b/backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
@@ -199,6 +199,32 @@ export const registerPamResourceEndpoints = <T extends TPamResource>({
  });
 };

+export const registerSshCaPublicKeyEndpoint = (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:resourceId/ssh-ca-public-key",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get the SSH CA public key for the PAM resource",
+      params: z.object({
+        resourceId: z.string().uuid()
+      }),
+      response: {
+        200: z.string()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req, reply) => {
+      const { caPublicKey } = await server.services.pamResource.getOrCreateSshCa(req.params.resourceId, req.permission);
+
+      void reply.header("Content-Type", "text/plain; charset=utf-8");
+      return caPublicKey;
+    }
+  });
+};
+
 export const registerSshCaSetupEndpoint = (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
--- a/docs/documentation/platform/pam/getting-started/resources/ssh.mdx
+++ b/docs/documentation/platform/pam/getting-started/resources/ssh.mdx
@@ -200,7 +200,14 @@ Certificate authentication requires additional setup on your SSH server to trust

    <Warning>
      **Manual setup**: If you prefer to configure the server manually, you can download just the CA public key and configure sshd yourself:
+
+      ```bash
+      curl -H "Authorization: Bearer <YOUR_TOKEN>" \
+        "https://app.infisical.com/api/v1/pam/resources/ssh/<RESOURCE_ID>/ssh-ca-public-key" \
+        | sudo tee /etc/ssh/infisical_ca.pub
+      ```
      
+      Then configure sshd:
      1. Add to `/etc/ssh/sshd_config`:
         ```
         TrustedUserCAKeys /etc/ssh/infisical_ca.pub