Purveyor of Single Sign-on SSH | The better way to manage SSH credentials

Announcing v0.14.2 of step and step-ca


Max Furman
Max Furman

Announcing v0.14.2 of step and step-ca

Version 0.14.2 of step and step-ca is now available. You can get it using brew install step (or brew upgrade step) on macOS or grab release artifacts for step and step-ca from Github. This is a big and long-awaited open-source release. We thank the community for the feedback and pull requests, our issues and gitter channels have never been busier.

V0.14.2 step

This release adds initial support for Microsoft Windows and a suite of step ssh subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!

V0.14.2 step-ca

First-class support for an SSH certificate authority that features SSO for SSH flows. Addition of TLS-ALPN-01 challenge to the ACME api (thanks @ibrt!). Addition of Software and CloudKMS options for storing PKI. Thank you to @josephvoss, @jkralik, @rmedaer, @anxolerd, @ibrt, @256dpi, @Johannestegner, @mkontani.

CLI | step v0.14.2 includes:

  • Add step ssh proxy.
  • Add ability to use templates in step ssh config.
  • Add support for multiple SSH root certificates (federation).
  • Add step ssh check-host
  • Add option to set listenAddress in OIDC provisioners.
  • Add step ssh fingerprint
  • Add step ssh proxycommand
  • Add an SSH pop provisioner that can renew/rekey/revoke SSH certificates using that same certificate priv key to sign a JWT.
  • Allow K8sSA provisioner to generate SSH certificates.
  • Add method(s) to list SSH keys and certificates
  • Add identity certificate support to step ssh (login | certificate)
  • Initial MS Windows support
  • Add support for parsing and serializing openSSH format
  • Add support for OpenSSH private keys in step crypto key format
  • Add ARM builds
  • Fix zsh autocompletion Summary: Suite of step ssh subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!

Certificates | step-ca v0.14.2 includes:

  • Update Sign and Renew api to return certificate chain of arbitrary length (rather than 1 intermediate and 1 leaf)
  • Add ‘x5c’ provisioner that can authenticate to the CA using an x509 Certificate to sign a JWT
  • Switch to Go Mod (from Go Dep)
  • Add Kubernetes Service Account Provisioner (k8sSA) - validate and authenticate kubernetes service account tokens
  • Add step ssh config implementation
  • Onboarding Flow
  • Add support for templated ssh configuration
  • Add support for multiple ssh roots - e.g. for federation and rolling roots.
  • Add step ssh check-host endpoint and implementation
  • Set default ssh user cert duration to 16hr
  • Add step ssh proxycommand implementation
  • Add step ssh hosts implementation / api
  • Add ssh POP provisioner allowing signing of OTTs using ssh certificates
  • Add support for ssh via bastion
  • Add identity x509 certificates to the ssh flow
  • Update error API to return errors that retain information about the error, http statuses and messages, and user facing dialogue.
  • Fix wildcard domain normalization in DNS ACME challenge
  • Add fault tolerance against clock skew to x509 and ssh certificates
  • Add support for CloudKMS
  • Add support for SoftKMS (software KMS)
  • Use crypto.Signer for all signing operations instead of private keys directly.
  • Fix race conditions in certificate renewal
  • Remove custom x509 package (go x509 now supports ECDSA keys)
  • Added optional DNs resolver to be used instead of the default
  • Add TLS-ALPN-01 challenge implementation
  • Add tooling to initialize PKI in CloudKMS.
  • Add docs for CloudKMS
  • Allow using custom SSH principals on cloud provisioners
  • Upgrade github.com/x/crypto to fix a vulnerability in ssh
  • Switch to using host Tags instead of Groups in SSH
  • Add ARM builds as part of CI/CD packaging

That's (a lot!) it, for now…

Star step cli
Star step certificates

Issues & PRs always welcome. Or join us on gitter and help us build v0.15.0!

cta-icon

Subscribe to blog