From 7c4b6e29b1d48847aedbc6da5316c5a30fb5ede2 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Fri, 8 Apr 2022 17:15:39 +0300 Subject: feat: add script to configure ssh on installer accept an SSH CA Sponsored-by: author --- set-user-ca-pubkey | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 set-user-ca-pubkey diff --git a/set-user-ca-pubkey b/set-user-ca-pubkey new file mode 100755 index 0000000..0bac587 --- /dev/null +++ b/set-user-ca-pubkey @@ -0,0 +1,32 @@ +#!/bin/bash + +set -eu -o pipefail + +die() { + echo "ERROR: $*" 1>&2 + exit 1 +} + +cleanup() { + umount "$drive" || true + rmdir "$mnt" +} + +trap cleanup EXIT + +drive="$1" +pubkey="$2" + +[ -e "$drive" ] || die "$drive does not exist" +[ -e "$pubkey" ] || die "$pubkey does not exist" + +mnt="$(mktemp -d)" +mount "$drive" "$mnt" + +include="$mnt/etc/ssh/sshd_config.d/userca.conf" +echo "TrustedUserCAKeys /etc/ssh/user_ca_keys" >"$include" +chown root:root "$include" +chmod 0644 "$include" + +cakeys="$mnt/etc/ssh/user_ca_keys" +install -m 0600 "$pubkey" "$cakeys" -- cgit v1.2.1 From 360011c903bcfa89c35bee1d8d0ec4b98b029ed8 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Fri, 8 Apr 2022 17:39:59 +0300 Subject: feat: if desired, configure host's sshd to accept a CA for users Sponsored-by: author --- std.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/std.yml b/std.yml index 0814f95..a35e87d 100644 --- a/std.yml +++ b/std.yml @@ -16,6 +16,7 @@ passwd -l root - name: "create ~root/.ssh" + when: user_pub is defined file: state: directory path: /root/.ssh @@ -24,6 +25,7 @@ mode: 0700 - name: "set ~root/.ssh/authorized keys" + when: user_pub is defined copy: content: | {{ user_pub }} @@ -32,6 +34,19 @@ group: root mode: 0600 + - name: "install user CA public key" + when: user_ca_pubkey is defined + copy: + content: | + {{ user_ca_pubkey }} + dest: /etc/ssh/user_ca_keys + + - name: "configure sshd to accept CA for users" + when: user_ca_pubkey is defined + copy: + content: TrustedUserCAKeys /etc/ssh/user_ca_keys + dest: /etc/ssh/sshd_config.d/userca.conf + - name: "configure keyboard layout" copy: content: | -- cgit v1.2.1 From 58ccb4c08006d1cf2a3f349e592019d2d3e5deca Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Fri, 8 Apr 2022 18:26:13 +0300 Subject: docs: document user_ca_pubkey Sponsored-by: author --- README.md | 2 ++ tutorial.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 14a00fb..b9fd6db 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,8 @@ Explanation: - the `user_pub` variable contains an SSH public key that gets installed into the `root` user `authorized_keys` file on the installed system by the standard playbook + - the `user_ca_pubkey` variable contains public key for an SSH CA + whose user certificates are to be trusted With all this configuration in a file, which you can keep in git, you can install a base system repeatedly to a specific computer, and do it diff --git a/tutorial.md b/tutorial.md index e9bbee2..5e3d6ed 100644 --- a/tutorial.md +++ b/tutorial.md @@ -88,6 +88,8 @@ The steps: ansible_vars: user_pub: | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems + user_ca_pubkey: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdSnGI91exKItWsZi0XFVQWluS0FUdd12FLjuQk1FxG liw User CA v1 extra_lvs: - name: vms size: 1T -- cgit v1.2.1