dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

Compare commits

base: dustin:dbcb932ceda354280d0ab0e6e9ce13e405d90940
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master
...
compare: dustin:8a7faac35b7bb38c4d13dd61670de43dae9db971
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master

2 Commits
dbcb932ced ... 8a7faac35b

Author SHA1 Message Date
Dustin 8a7faac35b r/ssh-host-certs: Reload sshd after renewing certs 
In Fedora 41, it seems the SSH daemon no longer automatically uses the
new certificate after its host certificates have been renewed.  To get
it to pick up the new ones, we have to explicitly tell it to reload.  To
handle that automatically, I've added a new systemd path unit that
monitors the certificate files.  When it detects that one of them has
changed, it will send the signal to the SSH daemon to tell it to reload.
 2025-09-14 15:08:41 -05:00
Dustin 37e6622351 r/ssh-host-certs: Import systemd unit files 
The _sshca-cli_ package no longer provides a _-systemd_ sub-package
containing the systemd unit files for automatically requesting and
renewing SSH host certificates.  Its original intent was to support
automatically signing certificates on first boot by having the unit
files installed by Anaconda, but this never really worked for various
reasons.  Since I'd rather not have to rebuild the RPMs every time I
need to make a change to the systemd units, and Ansible is required to
actually get the certificates issued anyway, it makes more sense to have
the unit files in the configuration policy instead.
 2025-09-14 15:08:41 -05:00
7 changed files with 125 additions and 5 deletions
Show Stats Expand all files Collapse all files

11
roles/ssh-host-certs/files/reload-ssh-cert.path Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Watch SSH Host certificates for renewal
After=sshd.service
[Path]
PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
[Install]
WantedBy=paths.target

24
roles/ssh-host-certs/files/reload-ssh-cert.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=Reload SSH daemon when certificate is renewed
After=sshd.service
[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl reload sshd
CapabilityBoundingSet=
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
PrivateTmp=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true

34
roles/ssh-host-certs/files/ssh-host-cert-sign@.service Normal file
View File

@ -0,0 +1,34 @@
[Unit]
Description=Request %I SSH Host Certificate
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
CapabilityBoundingSet=CAP_CHOWN
DeviceAllow=
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/etc/ssh
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

7
roles/ssh-host-certs/files/ssh-host-certs-renew.target Normal file
View File

@ -0,0 +1,7 @@
# vim: set ft=systemd :
[Unit]
Description=Request SSH Host Certificates
StopWhenUnneeded=yes
Wants=ssh-host-cert-sign@ed25519.service
Wants=ssh-host-cert-sign@rsa.service
Wants=ssh-host-cert-sign@ecdsa.service

12
roles/ssh-host-certs/files/ssh-host-certs-renew.timer Normal file
View File

@ -0,0 +1,12 @@
# vim: set ft=systemd :
[Unit]
Description=Periodically renew SSH host certificates
[Timer]
Unit=%N.target
OnCalendar=Tue *-*-* 00:00:00
RandomizedDelaySec=48h
Persistent=yes
[Install]
WantedBy=timers.target

1
roles/ssh-host-certs/meta/main.yml
View File

@ -1,3 +1,4 @@
dependencies:
- role: systemd-base
- role: dch-yum
tags: dch-yum

41
roles/ssh-host-certs/tasks/main.yml
View File

@ -1,12 +1,35 @@
- name: ensure sshca-cli-systemd is installed
- name: ensure sshca-cli is installed
package:
name: sshca-cli-systemd
name: sshca-cli
state: present
notify:
- restart ssh-host-certs.target
tags:
- install
- name: ensure sshca-cli-systemd is not installed
package:
name: sshca-cli-systemd
state: absent
tags:
- uninstall
- name: ensure ssh host cert signing systemd units are installed
copy:
src: '{{ item }}'
dest: /etc/systemd/system/{{ item }}
owner: root
group: root
mode: u=rw,go=r
loop:
- ssh-host-cert-sign@.service
- ssh-host-certs-renew.target
- ssh-host-certs-renew.timer
- reload-ssh-cert.path
- reload-ssh-cert.service
notify:
- reload systemd
tags:
- systemd
- name: ensure ssh-host-cert-sign is configured
template:
src: ssh-host-cert-sign.env.j2
@ -15,7 +38,7 @@
group: root
mode: u=rw,go=r
notify:
- restart ssh-host-certs.target
- restart ssh-host-certs-renew.target
tags:
- config
@ -27,6 +50,14 @@
tags:
- service
- name: ensure reload-ssh-cert.path is enabled
systemd:
name: reload-ssh-cert.path
enabled: true
state: started
tags:
- service
- name: ensure sshd is configured to use host certificates
template:
src: hostcertificate.conf.j2