r/ssh-host-certs: Manage SSH host certificates

The *ssh-host-certs* role, which is now applied as part of the `base.yml` playbook and therefore applies to all managed nodes, is responsible for installing the *sshca-cli* package and using it to request signed SSH host certificates. The *sshca-cli-systemd* sub-package includes systemd units that automate the process of requesting and renewing host certificates. These units need to be enabled and provided the URL of the SSHCA service. Additionally, the SSH daemon needs to be configured to load the host certificates.
2023-11-07 18:29:25 -06:00
parent c3f58aff83
commit dfd828af08
8 changed files with 67 additions and 0 deletions
--- a/roles/ssh-host-certs/defaults/main.yml
+++ b/roles/ssh-host-certs/defaults/main.yml
@@ -0,0 +1,4 @@
+ssh_host_certs:
+- /etc/ssh/ssh_host_ed25519_key-cert.pub
+- /etc/ssh/ssh_host_rsa_key-cert.pub
+- /etc/ssh/ssh_host_ecdsa_key-cert.pub
--- a/roles/ssh-host-certs/handlers/main.yml
+++ b/roles/ssh-host-certs/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: restart ssh-host-certs.target
+  systemd:
+    name: ssh-host-certs.target
+    state: started
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
--- a/roles/ssh-host-certs/meta/main.yml
+++ b/roles/ssh-host-certs/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: dch-yum
+  tags: dch-yum
--- a/roles/ssh-host-certs/tasks/main.yml
+++ b/roles/ssh-host-certs/tasks/main.yml
@@ -0,0 +1,41 @@
+- name: ensure sshca-cli-systemd is installed
+  package:
+    name: sshca-cli-systemd
+    state: present
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - install
+
+- name: ensure ssh-host-cert-sign is configured
+  template:
+    src: ssh-host-cert-sign.env.j2
+    dest: /etc/sysconfig/ssh-host-cert-sign
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - config
+
+- name: ensure ssh-host-certs-renew.timer is enabled
+  systemd:
+    name: ssh-host-certs-renew.timer
+    enabled: true
+    state: started
+  tags:
+  - service
+
+- name: ensure sshd is configured to use host certificates
+  template:
+    src: hostcertificate.conf.j2
+    dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload sshd
+  tags:
+  - config
+  - sshd_config
--- a/roles/ssh-host-certs/templates/hostcertificate.conf.j2
+++ b/roles/ssh-host-certs/templates/hostcertificate.conf.j2
@@ -0,0 +1,5 @@
+{% if ssh_host_certs|d(none) %}
+{% for cert in ssh_host_certs | sort %}
+HostCertificate {{ cert }}
+{% endfor %}
+{% endif %}
--- a/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2
+++ b/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2
@@ -0,0 +1 @@
+SSHCA_SERVER={{ sshca_url }}