deac/ansible-role-ssh-cert
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
No description
9 commits 1 branch 0 tags 386 KiB
Find a file
Exact
Denis Knauf 79b66529c8 user|host (wrong) -> user@host (correct)
2022-03-15 10:59:21 +01:00
defaults user|host (wrong) -> user@host (correct) 2022-03-15 10:59:21 +01:00
files install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock. 2020-09-30 20:45:28 +02:00
handlers init 2020-09-16 14:19:19 +02:00
meta user-certs renewal support added. vers -> defaults 2020-09-21 09:26:01 +02:00
tasks user|host (wrong) -> user@host (correct) 2022-03-15 10:59:21 +01:00
tests init 2020-09-16 14:19:19 +02:00
vars user-certs renewal support added. vers -> defaults 2020-09-21 09:26:01 +02:00
.gitignore install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock. 2020-09-30 20:45:28 +02:00
LICENSE Initial commit 2020-09-16 13:24:18 +02:00
README.adoc user-certs renewal support added. vers -> defaults 2020-09-21 09:26:01 +02:00

README.adoc 

ssh_cert
========

Implements SSH-Certificate-renewal on hosts.
The renewal-process connects to ssh-ca-host and fetches a new certificate, if needed.

These renewal can be used for host-certificates and user-certificates.

Prepares `sshd_config` to use the CA and the host-certificate.

Requirements
------------

systemd is required, so it would not work on alpine or openwrt, yet.

Role Variables
--------------

ssh_ca_host::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.

ssh_ca_user::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `sshca`

ssh_ca_base_dir::
Path to CA base on ssh-ca-host.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `~/.ssh-ca`
**Do not change!**

ssh_cert_known_domain::
Adds domain to trust by this CA.

ssh_cert_mail_to::
If you want to be informed on renewal or errors, provide a mailto-address.
Mandatory, yet.

ssh_cert_mail_from::
If you want to be informed on renewal or errors, provide an address of sender.
Mandatory, yet.

ssh_cert_sign_host::
Default: `{{ssh_ca_user}}@{{ssh_ca_host}}`

ssh_cert_host_pub_path::
Path to host-key-pub on host-machine.
Would be used like a CSR.
Default: `/etc/ssh/ssh_host_ed25519_key.pub`

ssh_cert_host_cert_path::
Where to place the host-certificate on host-machine?
Default: `/etc/ssh/ssh_host_ed25519_key-cert.pub`

ssh_cert_host_capub_path::
Where to place the CA on host-machine?
Default: `/etc/ssh/ca.pub`

ssh_cert_user_pub_path::
Path to user-key-pub on host-machine.
Would be used like a CSR.
Default: `~/.ssh/id_ed25519.pub`

ssh_cert_user_cert_path::
Where to place the user-certificate on host-machine?
Default: `~/.ssh/id_ed25519-cert.pub`

ssh_cert_host_addition_ids::
Additional IDs (as list) placed in certificate.
For host-keys, additional hostnames like `git.example.net`.
Default is empty.

Dependencies
------------

* ssh-ca

Example Playbook
----------------

Optional, use ssh-ca-role before.

Then use the regular role:

----
- name: SSH-Cert
  hosts: hosts
	roles:
	- role: ssh-cert
----

License
-------

AGPLv3

Author Information
------------------

Denis Knauf - https://git.denkn.at/deac/ansible-role-ssh-cert