Switch from Step CA to SSHCA
SSH host certificates are now issued by SSHCA. The *sshca-cli-systemd* package contains the appropriate systemd units for it.master
parent
78f9284f33
commit
6dfde32a5e
|
|
@ -8,4 +8,4 @@ ignition:
|
|||
- local: collectd.ign
|
||||
- local: local_exporter.ign
|
||||
- local: notify-shutdown.ign
|
||||
- local: step-ssh.ign
|
||||
- local: ssh-host-certs.ign
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/yum.repos.d/dch.repo
|
||||
mode: 0644
|
||||
contents:
|
||||
local: dch.repo
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
[dch]
|
||||
name=DCH - Fedora $releasever
|
||||
baseurl=https://files.pyrocufflink.blue/yum/dch/fedora/$releasever
|
||||
gpgkey=https://files.pyrocufflink.blue/yum/dch/gnupg.pub
|
||||
gpgcheck=1
|
||||
skip_if_unavailable=true
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Service]
|
||||
Description=Bootstrap SSH host certificates
|
||||
ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key-cert.pub
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/sh /etc/ssh/bootstrap.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
#!/bin/sh
|
||||
# vim: set sw=4 ts=4 sts=4 et :
|
||||
|
||||
gen_sshd_config() {
|
||||
{
|
||||
for x in ssh_host_*_key-cert.pub; do
|
||||
printf 'HostCertificate /etc/ssh/%s\n' "${x}"
|
||||
done
|
||||
} > sshd_config.d/10-hostcertificate.conf
|
||||
}
|
||||
|
||||
parse_response() {
|
||||
jq -r '.certificates | to_entries | .[] | .key + " " + .value' \
|
||||
| while read filename contents; do
|
||||
[ -n "${filename}" ] || continue
|
||||
echo "${contents}" > "${filename}" || return
|
||||
done
|
||||
}
|
||||
|
||||
request_sign() {
|
||||
set -- \
|
||||
https://bootstrap.pyrocufflink.blue/sshkeys/sign \
|
||||
-H 'Accept: application/json' \
|
||||
-F hostname=$(hostname -f)
|
||||
for f in /etc/ssh/ssh_host_*_key.pub; do
|
||||
set -- "$@" -F keys=@"${f}"
|
||||
done
|
||||
curl -fsSL "$@"
|
||||
}
|
||||
|
||||
cd /etc/ssh || exit
|
||||
request_sign | parse_response
|
||||
gen_sshd_config
|
||||
|
||||
systemctl reload sshd
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
ignition:
|
||||
config:
|
||||
merge:
|
||||
- local: dch-repo.ign
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/ignition/packages.d/sshca
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
sshca-cli-systemd
|
||||
|
||||
- path: /etc/ssh/sshd_config.d/10-hostcertificate.conf
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
|
||||
- path: /etc/sysconfig/ssh-host-cert-sign
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
SSHCA_SERVER=https://sshca.pyrocufflink.blue
|
||||
|
||||
links:
|
||||
- path: /etc/systemd/system/after-install.target.wants/ssh-host-certs.target
|
||||
target: /usr/lib/systemd/system/ssh-host-certs.target
|
||||
- path: /etc/systemd/system/after-install.target.wants/ssh-host-certs-renew.timer
|
||||
target: /usr/lib/systemd/system/ssh-host-certs-renew.timer
|
||||
|
||||
systemd:
|
||||
units:
|
||||
- name: ssh-host-certs-renew.timer
|
||||
enabled: true
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
STEP_CA_URL=https://ca.pyrocufflink.blue:32599
|
||||
STEP_ROOT=/etc/pki/ca-trust/source/anchors/dch-root-ca.crt
|
||||
STEP_PROVISIONER=sshpop
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[Unit]
|
||||
Description=Renew SSH host certificates
|
||||
StopWhenUnneeded=yes
|
||||
Wants=step-ssh-renew@ed25519.service
|
||||
Wants=step-ssh-renew@ecdsa.service
|
||||
Wants=step-ssh-renew@rsa.service
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
[Unit]
|
||||
Description=Periodically renew SSH host certificates
|
||||
|
||||
[Timer]
|
||||
Unit=%N.target
|
||||
OnCalendar=Tue *-*-* 00:00:00
|
||||
RandomizedDelaySec=48h
|
||||
Persistent=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
[Unit]
|
||||
Description=Renew SSH host %I certificate
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
ConditionPathExists=/etc/ssh/ssh_host_%I_key-cert.pub
|
||||
|
||||
[Container]
|
||||
ContainerName=step-ssh-renew-%I
|
||||
Image=docker.io/smallstep/step-cli:0.25.0
|
||||
EnvironmentFile=/etc/sysconfig/step-ssh-renew
|
||||
Exec=step ssh renew -f /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key
|
||||
Volume=/etc/ssh:/etc/ssh:rw
|
||||
Volume=/etc/pki:/etc/pki:ro
|
||||
# Required in order to be able to write to /etc/ssh
|
||||
SecurityLabelDisable=true
|
||||
User=0
|
||||
Group=0
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/ssh/bootstrap.sh
|
||||
mode: 0755
|
||||
contents:
|
||||
local: ssh-bootstrap.sh
|
||||
- path: /etc/containers/systemd/step-ssh-renew@.container
|
||||
mode: 0644
|
||||
contents:
|
||||
local: step-ssh-renew@.container
|
||||
- path: /etc/sysconfig/step-ssh-renew
|
||||
mode: 0600
|
||||
contents:
|
||||
local: step-ssh-renew.env
|
||||
- path: /etc/systemd/system/ssh-bootstrap.service
|
||||
mode: 0644
|
||||
contents:
|
||||
local: ssh-bootstrap.service
|
||||
- path: /etc/systemd/system/step-ssh-renew.target
|
||||
mode: 0644
|
||||
contents:
|
||||
local: step-ssh-renew.target
|
||||
- path: /etc/systemd/system/step-ssh-renew.timer
|
||||
mode: 0644
|
||||
contents:
|
||||
local: step-ssh-renew.timer
|
||||
Loading…
Reference in New Issue