4 files changed, 51 insertions, 0 deletions

diff --git a/README.md b/README.md
index 14a00fb..b9fd6db 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,8 @@ Explanation:
   - the `user_pub` variable contains an SSH public key that gets
     installed into the `root` user `authorized_keys` file on the
     installed system by the standard playbook
+  - the `user_ca_pubkey` variable contains public key for an SSH CA
+    whose user certificates are to be trusted
 
 With all this configuration in a file, which you can keep in git, you
 can install a base system repeatedly to a specific computer, and do it
diff --git a/set-user-ca-pubkey b/set-user-ca-pubkey
new file mode 100755
index 0000000..0bac587
--- /dev/null
+++ b/set-user-ca-pubkey
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+die() {
+	echo "ERROR: $*" 1>&2
+	exit 1
+}
+
+cleanup() {
+	umount "$drive" || true
+	rmdir "$mnt"
+}
+
+trap cleanup EXIT
+
+drive="$1"
+pubkey="$2"
+
+[ -e "$drive" ] || die "$drive does not exist"
+[ -e "$pubkey" ] || die "$pubkey does not exist"
+
+mnt="$(mktemp -d)"
+mount "$drive" "$mnt"
+
+include="$mnt/etc/ssh/sshd_config.d/userca.conf"
+echo "TrustedUserCAKeys /etc/ssh/user_ca_keys" >"$include"
+chown root:root "$include"
+chmod 0644 "$include"
+
+cakeys="$mnt/etc/ssh/user_ca_keys"
+install -m 0600 "$pubkey" "$cakeys"
diff --git a/std.yml b/std.yml
index 0814f95..a35e87d 100644
--- a/std.yml
+++ b/std.yml
@@ -16,6 +16,7 @@
         passwd -l root
 
     - name: "create ~root/.ssh"
+      when: user_pub is defined
       file:
         state: directory
         path: /root/.ssh
@@ -24,6 +25,7 @@
         mode: 0700
 
     - name: "set ~root/.ssh/authorized keys"
+      when: user_pub is defined
       copy:
         content: |
           {{ user_pub }}
@@ -32,6 +34,19 @@
         group: root
         mode: 0600
 
+    - name: "install user CA public key"
+      when: user_ca_pubkey is defined
+      copy:
+        content: |
+          {{ user_ca_pubkey }}
+        dest: /etc/ssh/user_ca_keys
+
+    - name: "configure sshd to accept CA for users"
+      when: user_ca_pubkey is defined
+      copy:
+        content: TrustedUserCAKeys /etc/ssh/user_ca_keys
+        dest: /etc/ssh/sshd_config.d/userca.conf
+
     - name: "configure keyboard layout"
       copy:
         content: |
diff --git a/tutorial.md b/tutorial.md
index e9bbee2..5e3d6ed 100644
--- a/tutorial.md
+++ b/tutorial.md
@@ -88,6 +88,8 @@ The steps:
     ansible_vars:
       user_pub: |
        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+      user_ca_pubkey: |
+        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdSnGI91exKItWsZi0XFVQWluS0FUdd12FLjuQk1FxG liw User CA v1
     extra_lvs:
       - name: vms
         size: 1T