You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Denis Knauf 79b66529c8 user|host (wrong) -> user@host (correct) 2 months ago
defaults user|host (wrong) -> user@host (correct) 2 months ago
files install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock. 2 years ago
handlers init 2 years ago
meta user-certs renewal support added. vers -> defaults 2 years ago
tasks user|host (wrong) -> user@host (correct) 2 months ago
tests init 2 years ago
vars user-certs renewal support added. vers -> defaults 2 years ago
.gitignore install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock. 2 years ago
LICENSE Initial commit 2 years ago
README.adoc user-certs renewal support added. vers -> defaults 2 years ago

README.adoc

ssh_cert

Implements SSH-Certificate-renewal on hosts. The renewal-process connects to ssh-ca-host and fetches a new certificate, if needed.

These renewal can be used for host-certificates and user-certificates.

Prepares sshd_config to use the CA and the host-certificate.

Requirements

systemd is required, so it would not work on alpine or openwrt, yet.

Role Variables

ssh_ca_host

Hostmachine for CA. This is not host-specific, so you should change it for all hosts or neither. Must match with ssh_ca-role.

ssh_ca_user

Hostmachine for CA. This is not host-specific, so you should change it for all hosts or neither. Must match with ssh_ca-role. Default: sshca

ssh_ca_base_dir

Path to CA base on ssh-ca-host. This is not host-specific, so you should change it for all hosts or neither. Must match with ssh_ca-role. Default: ~/.ssh-ca Do not change!

ssh_cert_known_domain

Adds domain to trust by this CA.

ssh_cert_mail_to

If you want to be informed on renewal or errors, provide a mailto-address. Mandatory, yet.

ssh_cert_mail_from

If you want to be informed on renewal or errors, provide an address of sender. Mandatory, yet.

ssh_cert_sign_host

Default: {{ssh_ca_user}}@{{ssh_ca_host}}

ssh_cert_host_pub_path

Path to host-key-pub on host-machine. Would be used like a CSR. Default: /etc/ssh/ssh_host_ed25519_key.pub

ssh_cert_host_cert_path

Where to place the host-certificate on host-machine? Default: /etc/ssh/ssh_host_ed25519_key-cert.pub

ssh_cert_host_capub_path

Where to place the CA on host-machine? Default: /etc/ssh/ca.pub

ssh_cert_user_pub_path

Path to user-key-pub on host-machine. Would be used like a CSR. Default: ~/.ssh/id_ed25519.pub

ssh_cert_user_cert_path

Where to place the user-certificate on host-machine? Default: ~/.ssh/id_ed25519-cert.pub

ssh_cert_host_addition_ids

Additional IDs (as list) placed in certificate. For host-keys, additional hostnames like git.example.net. Default is empty.

Dependencies

  • ssh-ca

Example Playbook

Optional, use ssh-ca-role before.

Then use the regular role:

- name: SSH-Cert
  hosts: hosts
	roles:
	- role: ssh-cert

License

AGPLv3

Author Information