sshca: Configure user CA

SSHCA now supports issuing user certificates. It uses OpenID Connect to authenticate requests, and issues certificates based on the user's ID token.
2024-02-01 09:02:11 -06:00 · 2024-02-01 09:02:11 -06:00 · 2cd4a8b097
parent 834d0f804f
commit 2cd4a8b097
4 changed files with 59 additions and 0 deletions
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@ -110,6 +110,17 @@ identity_providers:
      - email
      - groups
      - offline_access
+    - id: sshca
+      description: SSHCA
+      public: true
+      pre_configured_consent_duration: 4h
+      redirect_uris:
+      - http://127.0.0.1
+      scopes:
+      - openid
+      - profile
+      - email
+      - groups

 log:
  level: trace
--- a/sshca/config.toml
+++ b/sshca/config.toml
@ -1,9 +1,17 @@
 machine_ids = "/var/lib/sshca/machine-ids.json"

+[oidc]
+discovery_url = "https://auth.pyrocufflink.blue"
+client_id = "sshca"
+
 [ca.host]
 private_key_file = "/run/sshca/secrets/host/key/host-ca-key"
 private_key_passphrase_file = "/run/sshca/secrets/host/passphrase/host-ca-key.passphrase"

+[ca.user]
+private_key_file = "/run/sshca/secrets/user/key/user-ca-key"
+private_key_passphrase_file = "/run/sshca/secrets/user/passphrase/user-ca-key.passphrase"
+
 [[libvirt]]
 uri = "qemu+ssh://sshca@vmhost0.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey"

--- a/sshca/secrets.yaml
+++ b/sshca/secrets.yaml
@ -68,3 +68,31 @@ spec:
    metadata:
      name: sshca-data
      namespace: sshca
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: sshca-user-passphrase
+  namespace: sshca
+spec:
+  encryptedData:
+    user-ca-key.passphrase: AgBqGswkCI3U7E1eqlo2yQX7qmIoPYrXO1XbDhW1Y70RXXUFY0rWT5ce+MW5ADSdQ2dbMDur0lnyKae0sERobT+8bjq8SnFPpW6tBUKEqqhEo3CzwD89CNatPnbd19RlFxodWbPgGZUP0/lgq2j+ZJX7RYga0Wjx4C2kQ90uLVz4sFL+PElDl+MIGhJ2FfC7uf1OQZ/ZVOq203OcklWhQOF5+QstUGy3JQGniWvPJ0/19k+XIuZ1UL8etxvRodPyjwKk/vAn4qaHYaitxPXbFYFeELYr8lePo4JIa0HjwVkR3azAwZ+T0RPDBzzWLe4Ej6X+ZXS7Q0X+1qqPTYPq6vyeqATlIroE4XBxUCFDqnrnnXYSi9uRFA38K4g7ClEJc9AgC3lPFrGd9tuLw+ZdR8GNyOZvP+m72elg80qQQr3FvSrHfi0k0Ky8Ebz5401mm2UrhHfsd/a5KwDNopgyflWA/hnaQYA4XctK6aKImmkGmTiZmMC6P5FD4uktl6ZrvNgbPH9rvpJccSXhJApzpckzg39PUuFq3uHxVHU7XbKzeTFsE8dnAp3HqpjReX/2PJC+EM3RGG8XD5oSV6RXqdh6fbCGJmahcP7OY38YyWWGCizAF1LpelLo3DZyiczbQBnT8nK5G+OgXZako4pMwtgg6+i3t/bF0lvgl/2H+Fe37oHoE9BPML0KI4VIdLF6d93HXIZjPDQgAZan0k/J+wY9wFZP7JK5WqDkvRo8pvKEVJguBsvoGXqJE4e8NHz4gz+wZ5ZVYd8Udr7WYS8aeGiJ
+  template:
+    metadata:
+      name: sshca-user-passphrase
+      namespace: sshca
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: sshca-user-key
+  namespace: sshca
+spec:
+  encryptedData:
+    user-ca-key: AgB3b4J1W2NMzMT3de4i+z99YnToEyJ0uf4oJJAUeIEo1h2R5Lhz4SWyPkqFCzERHNw8dz60MhHc+tOLjMoo5XUTAznEMLARgnCPngs99OEKmpcoi7AXTiTeGATwso0fNbtth3AOjseSepjmvfx7/HBxPHZtCjFDPadeUpnGm+uZwE8LqlobxxbdEtV/lyJCYA8F75lajDyx4TzMsfGgqFeyj2jwByk07AFx+QFg4dfWSlkGpumnMkj2cUlH7y5fWphiATP7kMDfkbBWW+nffYqpubt9uZyQA+vPtKD4K8tYijI5zn9edsGb7bHT6Nih/wawP5wdB0DwlMHj5qMCtpGiHhz7H7zaICd2Cz2zkZ09fLOWkJO7nv4CVzEchb6v7rKIYrc2SDffshif96B8VzAznj6gk77bGWnM44+yh+hNDV6fpOajrQSHiaeyvQVw7wi/Q4c/R6BCWGdpk8dunlfEtAPqyE1Zbws+2MnRaBBW9t+wPbEpIEiCa2tjOMzWnECA7k1mKP24rbsY0STB9xkMdIStS3Gvsukrn4zkjaGUN8s3feyCdQZAnq71lePEWkAS0dsEos94TNF7oIhdqyySSnvZp3Mktwozk4/CD5TEkVh38tNQRIb1s2rh9fmb3YbV9Ruy5WzZhsU4I9KqpBeFOs2nHMDIDTEy0/L7aNCgnNpVDvr75e3i82BZFpr+7ywcmu/vpkq7geFH4co4EZP8/707Yu38C2O9GAHu1WMo3rzfSCy4naU+0tGK1ttwuFAbPfY1MIrBDI08QIjHyyE37mWr/VdaJwQIREdcXcggDIcfJKeIQmERveXT7dPTTv+3S6k2nfd5NZgBMtcWkYJ4cSENWTi+T/g2EaLduniUBTM3olIKpIgm66waGGRsGdYpPBMQ9kjerRTeHWObOMtM9oqsDQmPUA9EvciAjiT09F3Q78OCvGIZjC8jsjR05vouHOJ4rEQGlJLWDh+g1f4icXcV1rdpMakhnxLcCt3ExES0Q+qrmnegsgEfMuUAoPwZZFvHZdtV4mfHLei/NiPi4vUMANtWrF70RFOp7tbxWDhvyXyXnZFTdR9wpGLOmuiGpGJn+DYDPPazTQnNRZNSvFEDJYnQ+gGE9DcvVwbFYJmusHiTqHH6RX2RGscCUPeuEnqSDYRUwIb+ZWnU0iTiertq3QJtHKEAC2hf1+8Eh1OFUOzOkcS6lB2mIEKIbJ2kMhfMQWXjo9j/nVvY1t+QURHHEYqLlph59RqNMNlooDL8xW01lRiTD+Bk6iCmu7ViOhfowKiA3CObKS8tm1pOXEPoasl6FcHjj90VPNXsdA==
+  template:
+    metadata:
+      name: sshca-user-key
+      namespace: sshca
--- a/sshca/sshca.yaml
+++ b/sshca/sshca.yaml
@ -84,6 +84,12 @@ spec:
        - mountPath: /run/sshca/secrets/host/passphrase
          name: sshca-host-passphrase
          readOnly: true
+        - mountPath: /run/sshca/secrets/user/key
+          name: sshca-user-key
+          readOnly: true
+        - mountPath: /run/sshca/secrets/user/passphrase
+          name: sshca-user-passphrase
+          readOnly: true
        - mountPath: /var/lib/sshca
          name: sshca-data
          readOnly: true
@ -108,6 +114,12 @@ spec:
      - name: sshca-libvirt-key
        secret:
          secretName: sshca-libvirt-sshkey
+      - name: sshca-user-key
+        secret:
+          secretName: sshca-user-key
+      - name: sshca-user-passphrase
+        secret:
+          secretName: sshca-user-passphrase
      - name: ssh-known-hosts
        configMap:
          name: ssh-known-hosts