feat: if desired, configure host's sshd to accept a CA for users

Sponsored-by: author
author: Lars Wirzenius <liw@liw.fi> 2022-04-08 17:39:59 +0300
committer: Lars Wirzenius <liw@liw.fi> 2022-04-08 17:39:59 +0300
commit: 360011c903bcfa89c35bee1d8d0ec4b98b029ed8 (patch)
tree: 1615f90558d3a94fbb4a7b6cdfd9743083e795d0
parent: 7c4b6e29b1d48847aedbc6da5316c5a30fb5ede2 (diff)
download: v-i-360011c903bcfa89c35bee1d8d0ec4b98b029ed8.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/std.yml b/std.yml
index 0814f95..a35e87d 100644
--- a/std.yml
+++ b/std.yml
@@ -16,6 +16,7 @@
         passwd -l root
 
     - name: "create ~root/.ssh"
+      when: user_pub is defined
       file:
         state: directory
         path: /root/.ssh
@@ -24,6 +25,7 @@
         mode: 0700
 
     - name: "set ~root/.ssh/authorized keys"
+      when: user_pub is defined
       copy:
         content: |
           {{ user_pub }}
@@ -32,6 +34,19 @@
         group: root
         mode: 0600
 
+    - name: "install user CA public key"
+      when: user_ca_pubkey is defined
+      copy:
+        content: |
+          {{ user_ca_pubkey }}
+        dest: /etc/ssh/user_ca_keys
+
+    - name: "configure sshd to accept CA for users"
+      when: user_ca_pubkey is defined
+      copy:
+        content: TrustedUserCAKeys /etc/ssh/user_ca_keys
+        dest: /etc/ssh/sshd_config.d/userca.conf
+
     - name: "configure keyboard layout"
       copy:
         content: |
author	Lars Wirzenius <liw@liw.fi>	2022-04-08 17:39:59 +0300
committer	Lars Wirzenius <liw@liw.fi>	2022-04-08 17:39:59 +0300
commit	360011c903bcfa89c35bee1d8d0ec4b98b029ed8 (patch)
tree	1615f90558d3a94fbb4a7b6cdfd9743083e795d0
parent	7c4b6e29b1d48847aedbc6da5316c5a30fb5ede2 (diff)
download	v-i-360011c903bcfa89c35bee1d8d0ec4b98b029ed8.tar.gz