Add requirement for ssh issue credentials command to include either outFilePath or addToAgent flag

CLI - SSH Capabilities

Dockerfile.fips.standalone-infisical

@@ -137,6 +137,7 @@ RUN apt-get update && apt-get install -y \
     freetds-dev \
     freetds-bin \
     tdsodbc \
+    openssh \
     && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC in production

Dockerfile.standalone-infisical

@@ -139,7 +139,8 @@ RUN apk --update add \
     freetds-dev \
     bash \
     curl \
-    git
+    git \
+    openssh
 
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini

cli/go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.4.3
+	github.com/infisical/go-sdk v0.4.7
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0
@@ -23,8 +23,8 @@ require (
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/crypto v0.25.0
-	golang.org/x/term v0.22.0
+	golang.org/x/crypto v0.31.0
+	golang.org/x/term v0.27.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
@@ -93,9 +93,9 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/api v0.188.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect

cli/go.sum

@@ -265,8 +265,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.4.3 h1:O5ZJ2eCBAZDE9PIAfBPq9Utb2CgQKrhmj9R0oFTRu4U=
-github.com/infisical/go-sdk v0.4.3/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
+github.com/infisical/go-sdk v0.4.7 h1:+cxIdDfciMh0Syxbxbqjhvz9/ShnN1equ2zqlVQYGtw=
+github.com/infisical/go-sdk v0.4.7/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -453,8 +453,8 @@ golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -564,8 +564,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -620,16 +620,16 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
-golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -643,8 +643,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

cli/packages/cmd/ssh.go

@@ -0,0 +1,609 @@
+/*
+Copyright (c) 2023 Infisical Inc.
+*/
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/Infisical/infisical-merge/packages/util"
+	infisicalSdk "github.com/infisical/go-sdk"
+	infisicalSdkUtil "github.com/infisical/go-sdk/packages/util"
+	"github.com/spf13/cobra"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+)
+
+var sshCmd = &cobra.Command{
+	Example:               `infisical ssh`,
+	Short:                 "Used to issue SSH credentials",
+	Use:                   "ssh",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+}
+
+var sshIssueCredentialsCmd = &cobra.Command{
+	Example:               `ssh issue-credentials`,
+	Short:                 "Used to issue SSH credentials against a certificate template",
+	Use:                   "issue-credentials",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run:                   issueCredentials,
+}
+
+var sshSignKeyCmd = &cobra.Command{
+	Example:               `ssh sign-key`,
+	Short:                 "Used to sign a SSH public key against a certificate template",
+	Use:                   "sign-key",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run:                   signKey,
+}
+
+var algoToFileName = map[infisicalSdkUtil.CertKeyAlgorithm]string{
+	infisicalSdkUtil.RSA2048:   "id_rsa_2048",
+	infisicalSdkUtil.RSA4096:   "id_rsa_4096",
+	infisicalSdkUtil.ECDSAP256: "id_ecdsa_p256",
+	infisicalSdkUtil.ECDSAP384: "id_ecdsa_p384",
+}
+
+func isValidKeyAlgorithm(algo infisicalSdkUtil.CertKeyAlgorithm) bool {
+	_, exists := algoToFileName[algo]
+	return exists
+}
+
+func isValidCertType(certType infisicalSdkUtil.SshCertType) bool {
+	switch certType {
+	case infisicalSdkUtil.UserCert, infisicalSdkUtil.HostCert:
+		return true
+	default:
+		return false
+	}
+}
+
+func writeToFile(filePath string, content string, perm os.FileMode) error {
+	// Ensure the directory exists
+	dir := filepath.Dir(filePath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("failed to create directory %s: %w", dir, err)
+	}
+
+	// Write the content to the file
+	err := os.WriteFile(filePath, []byte(content), perm)
+	if err != nil {
+		return fmt.Errorf("failed to write to file %s: %w", filePath, err)
+	}
+
+	return nil
+}
+
+func addCredentialsToAgent(privateKeyContent, certContent string) error {
+	// Parse the private key
+	privateKey, err := ssh.ParseRawPrivateKey([]byte(privateKeyContent))
+	if err != nil {
+		return fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	// Parse the certificate
+	pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(certContent))
+	if err != nil {
+		return fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	cert, ok := pubKey.(*ssh.Certificate)
+	if !ok {
+		return fmt.Errorf("parsed key is not a certificate")
+	}
+	// Calculate LifetimeSecs based on certificate's valid-to time
+	validUntil := time.Unix(int64(cert.ValidBefore), 0)
+	now := time.Now()
+
+	// Handle ValidBefore as either a timestamp or an enumeration
+	// SSH certificates use ValidBefore as a timestamp unless set to 0 or ~0
+	if cert.ValidBefore == ssh.CertTimeInfinity {
+		// If certificate never expires, set default lifetime to 1 year (can adjust as needed)
+		validUntil = now.Add(365 * 24 * time.Hour)
+	}
+
+	// Calculate the duration until expiration
+	lifetime := validUntil.Sub(now)
+	if lifetime <= 0 {
+		return fmt.Errorf("certificate is already expired")
+	}
+
+	// Convert duration to seconds
+	lifetimeSecs := uint32(lifetime.Seconds())
+
+	// Connect to the SSH agent
+	socket := os.Getenv("SSH_AUTH_SOCK")
+	if socket == "" {
+		return fmt.Errorf("SSH_AUTH_SOCK not set")
+	}
+
+	conn, err := net.Dial("unix", socket)
+	if err != nil {
+		return fmt.Errorf("failed to connect to SSH agent: %w", err)
+	}
+	defer conn.Close()
+
+	agentClient := agent.NewClient(conn)
+
+	// Add the key with certificate to the agent
+	err = agentClient.Add(agent.AddedKey{
+		PrivateKey:   privateKey,
+		Certificate:  cert,
+		Comment:      "Added via Infisical CLI",
+		LifetimeSecs: lifetimeSecs,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to add key to agent: %w", err)
+	}
+
+	return nil
+}
+
+func issueCredentials(cmd *cobra.Command, args []string) {
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var infisicalToken string
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	certificateTemplateId, err := cmd.Flags().GetString("certificateTemplateId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+	if certificateTemplateId == "" {
+		util.PrintErrorMessageAndExit("You must set the --certificateTemplateId flag")
+	}
+
+	principalsStr, err := cmd.Flags().GetString("principals")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	// Check if the input string is empty before splitting
+	if principalsStr == "" {
+		util.HandleError(fmt.Errorf("no principals provided"), "The 'principals' flag cannot be empty")
+	}
+
+	// Convert the comma-delimited string into a slice of strings
+	principals := strings.Split(principalsStr, ",")
+	for i, principal := range principals {
+		principals[i] = strings.TrimSpace(principal)
+	}
+
+	keyAlgorithm, err := cmd.Flags().GetString("keyAlgorithm")
+	if err != nil {
+		util.HandleError(err, "Unable to parse keyAlgorithm flag")
+	}
+
+	if !isValidKeyAlgorithm(infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)) {
+		util.HandleError(fmt.Errorf("invalid keyAlgorithm: %s", keyAlgorithm),
+			"Valid values: RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1")
+	}
+
+	certType, err := cmd.Flags().GetString("certType")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	if !isValidCertType(infisicalSdkUtil.SshCertType(certType)) {
+		util.HandleError(fmt.Errorf("invalid certType: %s", certType),
+			"Valid values: user, host")
+	}
+
+	ttl, err := cmd.Flags().GetString("ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	keyId, err := cmd.Flags().GetString("keyId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	outFilePath, err := cmd.Flags().GetString("outFilePath")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	addToAgent, err := cmd.Flags().GetBool("addToAgent")
+	if err != nil {
+		util.HandleError(err, "Unable to parse addToAgent flag")
+	}
+
+	if outFilePath == "" && addToAgent == false {
+		util.PrintErrorMessageAndExit("You must provide either --outFilePath or --addToAgent flag to use this command")
+	}
+
+	var (
+		outputDir      string
+		privateKeyPath string
+		publicKeyPath  string
+		signedKeyPath  string
+	)
+
+	if outFilePath != "" {
+		// Expand ~ to home directory if present
+		if strings.HasPrefix(outFilePath, "~") {
+			homeDir, err := os.UserHomeDir()
+			if err != nil {
+				util.HandleError(err, "Failed to resolve home directory")
+			}
+			outFilePath = strings.Replace(outFilePath, "~", homeDir, 1)
+		}
+
+		// Check if outFilePath ends with "-cert.pub"
+		if strings.HasSuffix(outFilePath, "-cert.pub") {
+			// Treat outFilePath as the signed key path
+			signedKeyPath = outFilePath
+
+			// Derive the base name by removing "-cert.pub"
+			baseName := strings.TrimSuffix(filepath.Base(outFilePath), "-cert.pub")
+
+			// Set the output directory
+			outputDir = filepath.Dir(outFilePath)
+
+			// Define private and public key paths
+			privateKeyPath = filepath.Join(outputDir, baseName)
+			publicKeyPath = filepath.Join(outputDir, baseName+".pub")
+		} else {
+			// Treat outFilePath as a directory
+			outputDir = outFilePath
+
+			// Check if the directory exists; if not, create it
+			info, err := os.Stat(outputDir)
+			if os.IsNotExist(err) {
+				err = os.MkdirAll(outputDir, 0755)
+				if err != nil {
+					util.HandleError(err, "Failed to create output directory")
+				}
+			} else if err != nil {
+				util.HandleError(err, "Failed to access output directory")
+			} else if !info.IsDir() {
+				util.PrintErrorMessageAndExit("The provided --outFilePath is not a directory")
+			}
+		}
+	}
+
+	// Define file names based on key algorithm
+	fileName := algoToFileName[infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)]
+
+	// Define file paths
+	privateKeyPath = filepath.Join(outputDir, fileName)
+	publicKeyPath = filepath.Join(outputDir, fileName+".pub")
+	signedKeyPath = filepath.Join(outputDir, fileName+"-cert.pub")
+
+	// If outFilePath ends with "-cert.pub", ensure the signedKeyPath is set
+	if strings.HasSuffix(outFilePath, "-cert.pub") {
+		// Ensure the signedKeyPath was set
+		if signedKeyPath == "" {
+			util.HandleError(fmt.Errorf("signedKeyPath is not set correctly"), "Internal error")
+		}
+	} else {
+		// Ensure all paths are set
+		if privateKeyPath == "" || publicKeyPath == "" || signedKeyPath == "" {
+			util.HandleError(fmt.Errorf("file paths are not set correctly"), "Internal error")
+		}
+	}
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	creds, err := infisicalClient.Ssh().IssueCredentials(infisicalSdk.IssueSshCredsOptions{
+		CertificateTemplateID: certificateTemplateId,
+		Principals:            principals,
+		KeyAlgorithm:          infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm),
+		CertType:              infisicalSdkUtil.SshCertType(certType),
+		TTL:                   ttl,
+		KeyID:                 keyId,
+	})
+
+	if err != nil {
+		util.HandleError(err, "Failed to issue SSH credentials")
+	}
+
+	if outFilePath != "" {
+		// If signedKeyPath wasn't set in the directory scenario, set it now
+		if signedKeyPath == "" {
+			fileName := algoToFileName[infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)]
+			signedKeyPath = filepath.Join(outputDir, fileName+"-cert.pub")
+		}
+
+		if privateKeyPath == "" {
+			privateKeyPath = filepath.Join(outputDir, algoToFileName[infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)])
+		}
+		err = writeToFile(privateKeyPath, creds.PrivateKey, 0600)
+		if err != nil {
+			util.HandleError(err, "Failed to write Private Key to file")
+		}
+
+		if publicKeyPath == "" {
+			publicKeyPath = privateKeyPath + ".pub"
+		}
+		err = writeToFile(publicKeyPath, creds.PublicKey, 0644)
+		if err != nil {
+			util.HandleError(err, "Failed to write Public Key to file")
+		}
+
+		err = writeToFile(signedKeyPath, creds.SignedKey, 0644)
+		if err != nil {
+			util.HandleError(err, "Failed to write Signed Key to file")
+		}
+
+		fmt.Println("Successfully wrote SSH certificate to:", signedKeyPath)
+	}
+
+	// Add SSH credentials to the SSH agent if needed
+	if addToAgent {
+		// Call the helper function to handle add-to-agent flow
+		err := addCredentialsToAgent(creds.PrivateKey, creds.SignedKey)
+		if err != nil {
+			util.HandleError(err, "Failed to add keys to SSH agent")
+		} else {
+			fmt.Println("The SSH key and certificate have been successfully added to your ssh-agent.")
+		}
+	}
+}
+
+func signKey(cmd *cobra.Command, args []string) {
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var infisicalToken string
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	certificateTemplateId, err := cmd.Flags().GetString("certificateTemplateId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+	if certificateTemplateId == "" {
+		util.PrintErrorMessageAndExit("You must set the --certificateTemplateId flag")
+	}
+
+	publicKey, err := cmd.Flags().GetString("publicKey")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	publicKeyFilePath, err := cmd.Flags().GetString("publicKeyFilePath")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	if publicKey == "" && publicKeyFilePath == "" {
+		util.HandleError(fmt.Errorf("either --publicKey or --publicKeyFilePath must be provided"), "Invalid input")
+	}
+
+	if publicKey != "" && publicKeyFilePath != "" {
+		util.HandleError(fmt.Errorf("only one of --publicKey or --publicKeyFile can be provided"), "Invalid input")
+	}
+
+	if publicKeyFilePath != "" {
+		if strings.HasPrefix(publicKeyFilePath, "~") {
+			// Expand the tilde (~) to the user's home directory
+			homeDir, err := os.UserHomeDir()
+			if err != nil {
+				util.HandleError(err, "Failed to resolve home directory")
+			}
+			publicKeyFilePath = strings.Replace(publicKeyFilePath, "~", homeDir, 1)
+		}
+
+		// Ensure the file has a .pub extension
+		if !strings.HasSuffix(publicKeyFilePath, ".pub") {
+			util.HandleError(fmt.Errorf("public key file must have a .pub extension"), "Invalid input")
+		}
+
+		content, err := os.ReadFile(publicKeyFilePath)
+		if err != nil {
+			util.HandleError(err, "Failed to read public key file")
+		}
+
+		publicKey = strings.TrimSpace(string(content))
+	}
+
+	if strings.TrimSpace(publicKey) == "" {
+		util.HandleError(fmt.Errorf("Public key is empty"), "Invalid input")
+	}
+
+	principalsStr, err := cmd.Flags().GetString("principals")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	// Check if the input string is empty before splitting
+	if principalsStr == "" {
+		util.HandleError(fmt.Errorf("no principals provided"), "The 'principals' flag cannot be empty")
+	}
+
+	// Convert the comma-delimited string into a slice of strings
+	principals := strings.Split(principalsStr, ",")
+	for i, principal := range principals {
+		principals[i] = strings.TrimSpace(principal)
+	}
+
+	certType, err := cmd.Flags().GetString("certType")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	if !isValidCertType(infisicalSdkUtil.SshCertType(certType)) {
+		util.HandleError(fmt.Errorf("invalid certType: %s", certType),
+			"Valid values: user, host")
+	}
+
+	ttl, err := cmd.Flags().GetString("ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	keyId, err := cmd.Flags().GetString("keyId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	outFilePath, err := cmd.Flags().GetString("outFilePath")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var (
+		outputDir     string
+		signedKeyPath string
+	)
+
+	if outFilePath == "" {
+		// Use current working directory
+		if err != nil {
+			util.HandleError(err, "Failed to get current working directory")
+		}
+
+		// check if public key path exists
+		if publicKeyFilePath == "" {
+			util.PrintErrorMessageAndExit("--outFilePath must be specified when --publicKeyFilePath is not provided")
+		}
+
+		outputDir = filepath.Dir(publicKeyFilePath)
+		// Derive the base name by removing "-cert.pub"
+		baseName := strings.TrimSuffix(filepath.Base(publicKeyFilePath), ".pub")
+		signedKeyPath = filepath.Join(outputDir, baseName+"-cert.pub")
+	} else {
+		// Expand ~ to home directory if present
+		if strings.HasPrefix(outFilePath, "~") {
+			homeDir, err := os.UserHomeDir()
+			if err != nil {
+				util.HandleError(err, "Failed to resolve home directory")
+			}
+			outFilePath = strings.Replace(outFilePath, "~", homeDir, 1)
+		}
+
+		// Check if outFilePath ends with "-cert.pub"
+		if !strings.HasSuffix(outFilePath, "-cert.pub") {
+			util.PrintErrorMessageAndExit("--outFilePath must end with -cert.pub")
+		}
+
+		// Extract the directory from outFilePath
+		outputDir = filepath.Dir(outFilePath)
+
+		// Validate the output directory
+		info, err := os.Stat(outputDir)
+		if os.IsNotExist(err) {
+			// Directory does not exist; attempt to create it
+			err = os.MkdirAll(outputDir, 0755)
+			if err != nil {
+				util.HandleError(err, "Failed to create output directory")
+			}
+		} else if err != nil {
+			// Other errors accessing the directory
+			util.HandleError(err, "Failed to access output directory")
+		} else if !info.IsDir() {
+			// Path exists but is not a directory
+			util.PrintErrorMessageAndExit("The provided --outFilePath's directory is not valid")
+		}
+
+		signedKeyPath = outFilePath
+	}
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	creds, err := infisicalClient.Ssh().SignKey(infisicalSdk.SignSshPublicKeyOptions{
+		CertificateTemplateID: certificateTemplateId,
+		PublicKey:             publicKey,
+		Principals:            principals,
+		CertType:              infisicalSdkUtil.SshCertType(certType),
+		TTL:                   ttl,
+		KeyID:                 keyId,
+	})
+
+	if err != nil {
+		util.HandleError(err, "Failed to sign SSH public key")
+	}
+
+	err = writeToFile(signedKeyPath, creds.SignedKey, 0644)
+	if err != nil {
+		util.HandleError(err, "Failed to write Signed Key to file")
+	}
+
+	fmt.Println("Successfully wrote SSH certificate to:", signedKeyPath)
+}
+
+func init() {
+	sshSignKeyCmd.Flags().String("token", "", "Issue SSH certificate using machine identity access token")
+	sshSignKeyCmd.Flags().String("certificateTemplateId", "", "The ID of the SSH certificate template to issue the SSH certificate for")
+	sshSignKeyCmd.Flags().String("publicKey", "", "The public key to sign")
+	sshSignKeyCmd.Flags().String("publicKeyFilePath", "", "The file path to the public key file to sign")
+	sshSignKeyCmd.Flags().String("outFilePath", "", "The path to write the SSH certificate to such as ~/.ssh/id_rsa-cert.pub. If not provided, the credentials will be saved to the directory of the specified public key file path or the current working directory")
+	sshSignKeyCmd.Flags().String("principals", "", "The principals that the certificate should be signed for")
+	sshSignKeyCmd.Flags().String("certType", string(infisicalSdkUtil.UserCert), "The cert type for the created certificate")
+	sshSignKeyCmd.Flags().String("ttl", "", "The ttl for the created certificate")
+	sshSignKeyCmd.Flags().String("keyId", "", "The keyId that the created certificate should have")
+	sshCmd.AddCommand(sshSignKeyCmd)
+
+	sshIssueCredentialsCmd.Flags().String("token", "", "Issue SSH credentials using machine identity access token")
+	sshIssueCredentialsCmd.Flags().String("certificateTemplateId", "", "The ID of the SSH certificate template to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("principals", "", "The principals to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("keyAlgorithm", string(infisicalSdkUtil.RSA2048), "The key algorithm to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("certType", string(infisicalSdkUtil.UserCert), "The cert type to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("ttl", "", "The ttl to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("keyId", "", "The keyId to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("outFilePath", "", "The path to write the SSH credentials to such as ~/.ssh, ./some_folder, ./some_folder/id_rsa-cert.pub. If not provided, the credentials will be saved to the current working directory")
+	sshIssueCredentialsCmd.Flags().Bool("addToAgent", false, "Whether to add issued SSH credentials to the SSH agent")
+	sshCmd.AddCommand(sshIssueCredentialsCmd)
+	rootCmd.AddCommand(sshCmd)
+}

docs/documentation/platform/ssh.mdx

@@ -159,7 +159,19 @@ as part of the SSH operation.
 
 ## Guide to Using Infisical SSH to Access a Host
 
-We show how to obtain a SSH certificate (and optionally a new SSH key pair) for a client to access a host via CLI:
+We show how to obtain a SSH certificate and use it for a client to access a host via CLI:
+
+<Note>
+  The subsequent guide assumes the following prerequisites:
+
+- SSH Agent is running: The `ssh-agent` must be actively running on the host machine.
+- OpenSSH is installed: The system should have OpenSSH installed; this includes
+  both the `ssh` client and `ssh-agent`.
+- `SSH_AUTH_SOCK` environment variable
+  is set; the `SSH_AUTH_SOCK` variable should point to the UNIX socket that
+  `ssh-agent` uses for communication.
+
+</Note>
 
 <Steps>
   <Step title="Authenticate with Infisical">
@@ -169,70 +181,25 @@ infisical login
 ```
 
   </Step>
-  <Step title="Obtain a SSH certificate (and optionally new key-pair)">
-    Depending on the use-case, a client may either request a SSH certificate along with a new SSH key pair or obtain a SSH certificate for an existing SSH key pair to access a host.
+  <Step title="Obtain a SSH certificate and load it into the SSH agent">
+    Run the `infisical ssh issue-credentials` command, specifying the `--addToAgent` flag to automatically load the SSH certificate into the SSH agent.
+    ```bash
+    infisical ssh issue-credentials --certificateTemplateId=<certificate-template-id> --principals=<username> --addToAgent
+    ```
 
-    <AccordionGroup>
-      <Accordion title="Using New Key Pair (Recommended)">
-        If you wish to obtain a new SSH key pair in conjunction with the SSH certificate, then you can use the `infisical ssh issue-credentials` command.
+    Here's some guidance on each flag:
 
-        ```bash
-        infisical ssh issue-credentials --certificateTemplateId=<certificate-template-id> --principals=<username>
-        ```
-
-        The following flags may be relevant:
-
-        - `certificateTemplateId`: The ID of the certificate template to use for issuing the SSH certificate.
-        - `principals`: The comma-delimited username(s) or hostname(s) to include in the SSH certificate.
-        - `outFilePath` (optional): The path to the file to write the SSH certificate to.
-
-        <Note>
-          If `outFilePath` is not specified, the SSH certificate will be written to the current working directory where the command is run.
-        </Note>
-
-      </Accordion>
-      <Accordion title="Using Existing Key Pair">
-        If you have an existing SSH key pair, then you can use the `infisical ssh sign-key` command with either
-        the `--publicKey` flag or the `--publicKeyFilePath` flag to obtain a SSH certificate corresponding to
-        the existing credential.
-
-        ```bash
-        infisical ssh sign-key --publicKeyFilePath=<public-key-file-path> --certificateTemplateId=<certificate-template-id> --principals=<username>
-        ```
-
-        The following flags may be relevant:
-
-        - `publicKey`: The public key to sign.
-        - `publicKeyFilePath`: The path to the public key file to sign.
-        - `certificateTemplateId`: The ID of the certificate template to use for issuing the SSH certificate.
-        - `principals`: The comma-delimited username(s) or hostname(s) to include in the SSH certificate.
-        - `outFilePath` (optional): The path to the file to write the SSH certificate to.
-
-        <Note>
-          If `outFilePath` is not specified but `publicKeyFilePath` is then the SSH certificate will be written to the directory of the public key file; if the public key file is called `id_rsa.pub`, then the file containing the SSH certificate will be called `id_rsa-cert.pub`.
-
-          Otherwise, if `outFilePath` is not specified, the SSH certificate will be written to the current working directory where the command is run.
-        </Note>
-
-      </Accordion>
-    </AccordionGroup>
+    - `certificateTemplateId`: The ID of the certificate template to use for issuing the SSH certificate.
+    - `principals`: The comma-delimited username(s) or hostname(s) to include in the SSH certificate.
 
   </Step>
   <Step title="SSH into the host">
-    Once you have obtained the SSH certificate, you can use it to SSH into the desired host.
+    Finally, SSH into the desired host; the SSH operation will be performed using the SSH certificate loaded into the SSH agent.
 
     ```bash
-    ssh -i /path/to/private_key.pem \
-    -o CertificateFile=/path/to/ssh-cert.pub \
-    username@hostname
+    ssh username@hostname
     ```
 
-    <Note>
-      We recommend setting up aliases so you can more easily SSH into the desired host.
-
-      For example, you may set up an SSH alias using the SSH client configuration file (usually `~/.ssh/config`), defining a host alias including the file path to the issued SSH credential(s).
-    </Note>
-
   </Step>
 </Steps>