r/ssu-user-ca: Configure sshd TrustedUserCAKeys

The `TrustedUserCAKeys` setting for *sshd(8)* tells the server to accept
any certificates signed by keys listed in the specified file.
The authenticating username has to match one of the principals listed in
the certificate, of course.

This role is applied to all machines, via the `base.yml` playbook.
Certificates issued by the user CA managed by SSHCA will therefore be
trusted everywhere.  This brings us one step closer to eliminating the
dependency on Active Directory/Samba.

base.yml

@@ -4,6 +4,7 @@
   - base
   - role: ssh-host-certs
     tags: ssh-host-certs
+  - ssh-user-ca
 - hosts: kvm-guest
   roles:
   - serial-console

group_vars/all.yml

@@ -1,4 +1,6 @@
 sshca_url: https://sshca.pyrocufflink.blue
+ssh_trusted_user_ca_keys: >-
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
 
 certbot_account_email: dustin@hatch.name
 smtp:

roles/ssh-user-ca/defaults/main.yml

@@ -0,0 +1 @@
+ssh_trusted_user_ca_keys: ''

roles/ssh-user-ca/files/trustedusercakeys.conf

@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/ca.pub

roles/ssh-user-ca/tasks/main.yml

@@ -0,0 +1,24 @@
+- name: ensure sshd is configured to trust user ca keys
+  copy:
+    src:  trustedusercakeys.conf
+    dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - ssh-user-ca
+  - sshd-config
+  - config
+
+- name: ensure ssh trusted user ca list is set
+  copy:
+    dest: /etc/ssh/ca.pub
+    content: >+
+      {{ ssh_trusted_user_ca_keys }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - ssh-user-ca