You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Denis Knauf 79b66529c8 user|host (wrong) -> user@host (correct) 2 years ago
defaults user|host (wrong) -> user@host (correct) 2 years ago
files install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock. 3 years ago
handlers init 3 years ago
meta user-certs renewal support added. vers -> defaults 3 years ago
tasks user|host (wrong) -> user@host (correct) 2 years ago
tests init 3 years ago
vars user-certs renewal support added. vers -> defaults 3 years ago
.gitignore install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock. 3 years ago
LICENSE Initial commit 3 years ago
README.adoc user-certs renewal support added. vers -> defaults 3 years ago

README.adoc

ssh_cert
========

Implements SSH-Certificate-renewal on hosts.
The renewal-process connects to ssh-ca-host and fetches a new certificate, if needed.

These renewal can be used for host-certificates and user-certificates.

Prepares `sshd_config` to use the CA and the host-certificate.

Requirements
------------

systemd is required, so it would not work on alpine or openwrt, yet.

Role Variables
--------------

ssh_ca_host::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.

ssh_ca_user::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `sshca`

ssh_ca_base_dir::
Path to CA base on ssh-ca-host.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `~/.ssh-ca`
**Do not change!**

ssh_cert_known_domain::
Adds domain to trust by this CA.

ssh_cert_mail_to::
If you want to be informed on renewal or errors, provide a mailto-address.
Mandatory, yet.

ssh_cert_mail_from::
If you want to be informed on renewal or errors, provide an address of sender.
Mandatory, yet.

ssh_cert_sign_host::
Default: `{{ssh_ca_user}}@{{ssh_ca_host}}`

ssh_cert_host_pub_path::
Path to host-key-pub on host-machine.
Would be used like a CSR.
Default: `/etc/ssh/ssh_host_ed25519_key.pub`

ssh_cert_host_cert_path::
Where to place the host-certificate on host-machine?
Default: `/etc/ssh/ssh_host_ed25519_key-cert.pub`

ssh_cert_host_capub_path::
Where to place the CA on host-machine?
Default: `/etc/ssh/ca.pub`

ssh_cert_user_pub_path::
Path to user-key-pub on host-machine.
Would be used like a CSR.
Default: `~/.ssh/id_ed25519.pub`

ssh_cert_user_cert_path::
Where to place the user-certificate on host-machine?
Default: `~/.ssh/id_ed25519-cert.pub`

ssh_cert_host_addition_ids::
Additional IDs (as list) placed in certificate.
For host-keys, additional hostnames like `git.example.net`.
Default is empty.

Dependencies
------------

* ssh-ca

Example Playbook
----------------

Optional, use ssh-ca-role before.

Then use the regular role:

----
- name: SSH-Cert
  hosts: hosts
	roles:
	- role: ssh-cert
----

License
-------

AGPLv3

Author Information
------------------

Denis Knauf - https://git.denkn.at/deac/ansible-role-ssh-cert