Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

As far as I can tell, it doesn't appear that opnsense provides the ability to use custom SSH keys that are signed with SSH certificates. (see here on SSH certificates)

Specifically, I would like to be able to add something like this to the sshd_config (and also remove the existing HostKey entries):

HostKey /custom/dir/ssh_host_ed25519_key
HostKey /custom/dir/ssh_host_rsa_key
HostCertificate /custom/dir/ssh_host_ed25519_key-cert.pub
HostCertificate /custom/dir/ssh_host_rsa_key-cert.pub
TrustedUserCAKeys /custom/dir/trusted-user-ca-keys.pem

Describe the solution you like

What would be really nice is some way to change or hook into the sshd_config before it is written. I'm not familiar enough with opnsense to know if/how this problem is solved with other configuration files, but, ideally, it would be consistent with that method.

Describe alternatives you considered

Another possibility would be to put the keys and certificates in /conf/ssh/ and assume a specific format (i.e. ``*-cert.pubfor certificates) and automatically add theHostCertificate` line if that file exists in `/conf/ssh/`. This doesn't solve the problem of removing unwanted `HostKey` entries (as removed keys appear to be automatically regenerated) or adding `TrustedUserCAKeys`.

Additional context

I'm happy to contribute, but I would like input on a good solution before doing anything.

Thanks!