From f83cea50e9cfb723a3b9e6f5a9b7e389b1242305 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 1 Feb 2024 18:44:52 -0600
Subject: [PATCH] r/ssu-user-ca: Configure sshd TrustedUserCAKeys

The `TrustedUserCAKeys` setting for *sshd(8)* tells the server to accept
any certificates signed by keys listed in the specified file.
The authenticating username has to match one of the principals listed in
the certificate, of course.

This role is applied to all machines, via the `base.yml` playbook.
Certificates issued by the user CA managed by SSHCA will therefore be
trusted everywhere.  This brings us one step closer to eliminating the
dependency on Active Directory/Samba.
---
 base.yml                                      |  1 +
 group_vars/all.yml                            |  2 ++
 roles/ssh-user-ca/defaults/main.yml           |  1 +
 .../ssh-user-ca/files/trustedusercakeys.conf  |  1 +
 roles/ssh-user-ca/tasks/main.yml              | 24 +++++++++++++++++++
 5 files changed, 29 insertions(+)
 create mode 100644 roles/ssh-user-ca/defaults/main.yml
 create mode 100644 roles/ssh-user-ca/files/trustedusercakeys.conf
 create mode 100644 roles/ssh-user-ca/tasks/main.yml

diff --git a/base.yml b/base.yml
index ebe5324..9f9df55 100644
--- a/base.yml
+++ b/base.yml
@@ -4,6 +4,7 @@
   - base
   - role: ssh-host-certs
     tags: ssh-host-certs
+  - ssh-user-ca
 - hosts: kvm-guest
   roles:
   - serial-console
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 85ce756..47a761d 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,4 +1,6 @@
 sshca_url: https://sshca.pyrocufflink.blue
+ssh_trusted_user_ca_keys: >-
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
 
 certbot_account_email: dustin@hatch.name
 smtp:
diff --git a/roles/ssh-user-ca/defaults/main.yml b/roles/ssh-user-ca/defaults/main.yml
new file mode 100644
index 0000000..7f9738d
--- /dev/null
+++ b/roles/ssh-user-ca/defaults/main.yml
@@ -0,0 +1 @@
+ssh_trusted_user_ca_keys: ''
diff --git a/roles/ssh-user-ca/files/trustedusercakeys.conf b/roles/ssh-user-ca/files/trustedusercakeys.conf
new file mode 100644
index 0000000..6b31833
--- /dev/null
+++ b/roles/ssh-user-ca/files/trustedusercakeys.conf
@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/ca.pub
diff --git a/roles/ssh-user-ca/tasks/main.yml b/roles/ssh-user-ca/tasks/main.yml
new file mode 100644
index 0000000..e1aae42
--- /dev/null
+++ b/roles/ssh-user-ca/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: ensure sshd is configured to trust user ca keys
+  copy:
+    src:  trustedusercakeys.conf
+    dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - ssh-user-ca
+  - sshd-config
+  - config
+
+- name: ensure ssh trusted user ca list is set
+  copy:
+    dest: /etc/ssh/ca.pub
+    content: >+
+      {{ ssh_trusted_user_ca_keys }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - ssh-user-ca