Refs #38478 - Introduce SSH cert support

Author: adamlazik1

app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb

@@ -10,6 +10,9 @@ description: |
 
   remote_execution_ssh_keys: public keys to be put in ~/.ssh/authorized_keys
 
+  remote_execution_ssh_ca_keys: public ssh CA keys to be put in
+                                /etc/ssh/sshd_config.d/60-user-ca.conf
+
   remote_execution_ssh_user: user for which remote_execution_ssh_keys will be
                              authorized
 
@@ -33,7 +36,7 @@ if [ -z "$PKG_MANAGER" ]; then
 <%= indent(2) { snippet 'pkg_manager' } -%>
 fi
 
-<% if !host_param('remote_execution_ssh_keys').blank? %>
+<% if !host_param('remote_execution_ssh_keys').blank? || !host_param('remote_execution_ssh_ca_keys').blank? %>
 <% ssh_user = host_param('remote_execution_ssh_user') || 'root' %>
 
 user_exists=false
@@ -64,6 +67,18 @@ EOF
   # Restore SELinux context with restorecon, if it's available:
   command -v restorecon && restorecon -RvF <%= ssh_path %> || true
 
+<% if host_param('remote_execution_ssh_ca_keys').present? -%>
+  cat << EOF >> /etc/ssh/user-ca.pub
+<%= host_param('remote_execution_ssh_ca_keys').is_a?(String) ? host_param('remote_execution_ssh_ca_keys') : host_param('remote_execution_ssh_ca_keys').join("\n") %>
+EOF
+
+  chmod 0644 /etc/ssh/user-ca.pub
+
+  mkdir -p /etc/ssh/sshd_config.d
+  echo 'TrustedUserCAKeys /etc/ssh/user-ca.pub' >/etc/ssh/sshd_config.d/60-user-ca.conf
+  systemctl restart sshd
+<% end -%>
+
 <% if ssh_user != 'root' && host_param('remote_execution_effective_user_method') == 'sudo' -%>
 if [ ! -x "$(command -v sudo)" ]; then
   $PKG_MANAGER_INSTALL sudo