From 9cbe617309a95678a6929dd9e52d7f51dc8852e1 Mon Sep 17 00:00:00 2001 From: Denis Knauf Date: Sun, 20 Sep 2020 22:45:47 +0200 Subject: [PATCH] user-certs renewal support added. vers -> defaults --- README.adoc | 15 ++--- defaults/main.yml | 11 +++- files/ssh-cert-renew@.service | 8 --- files/ssh-host-cert-renew@.service | 8 +++ ...enew@.timer => ssh-host-cert-renew@.timer} | 0 files/ssh-user-cert-renew@.service | 10 ++++ files/ssh-user-cert-renew@.timer | 8 +++ meta/main.yml | 2 +- tasks/main.yml | 60 ++++++++++++++++--- vars/main.yml | 11 +--- 10 files changed, 94 insertions(+), 39 deletions(-) delete mode 100644 files/ssh-cert-renew@.service create mode 100644 files/ssh-host-cert-renew@.service rename files/{ssh-cert-renew@.timer => ssh-host-cert-renew@.timer} (100%) create mode 100644 files/ssh-user-cert-renew@.service create mode 100644 files/ssh-user-cert-renew@.timer diff --git a/README.adoc b/README.adoc index 908509d..76f8069 100644 --- a/README.adoc +++ b/README.adoc @@ -32,6 +32,10 @@ Path to CA base on ssh-ca-host. This is not host-specific, so you should change it for all hosts or neither. Must match with `ssh_ca`-role. Default: `~/.ssh-ca` +**Do not change!** + +ssh_cert_known_domain:: +Adds domain to trust by this CA. ssh_cert_mail_to:: If you want to be informed on renewal or errors, provide a mailto-address. @@ -79,16 +83,7 @@ Dependencies Example Playbook ---------------- -Optional, use ssh-ca-role before: - ----- -- name: SSH-CA - hosts: ssh_ca_server - roles: - - role: ssh-ca ----- - -This you need only on one machine. +Optional, use ssh-ca-role before. Then use the regular role: diff --git a/defaults/main.yml b/defaults/main.yml index 5746bf8..67baa8e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,9 @@ ---- -# defaults file for ssh-ca \ No newline at end of file +ssh_ca_user: sshca +ssh_ca_base_dir: ~/.ssh-ca +ssh_cert_sign_host: '{{ssh_ca_host}}' +ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub +ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub +ssh_cert_host_capub_path: /etc/ssh/ca.pub +ssh_cert_user_pub_path: ~/.ssh/id_ed25519.pub +ssh_cert_user_cert_path: ~/.ssh/id_ed25519-cert.pub +#ssh_cert_host_addition_ids: [] diff --git a/files/ssh-cert-renew@.service b/files/ssh-cert-renew@.service deleted file mode 100644 index aba5eb9..0000000 --- a/files/ssh-cert-renew@.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Renewal ssh host certificate %i - -[Service] -EnvironmentFile=/etc/default/ssh-cert-renew -Type=oneshot -ExecStart=/usr/local/bin/timer-mail -t ${ssh_ca_mail_to} -f ${ssh_ca_mail_from} -s "ssh certificate renewal %i" -ve \ - /etc/systemd/ssh-cert-renew ${ssh_ca_sign_host} /etc/ssh/%i diff --git a/files/ssh-host-cert-renew@.service b/files/ssh-host-cert-renew@.service new file mode 100644 index 0000000..73afe94 --- /dev/null +++ b/files/ssh-host-cert-renew@.service @@ -0,0 +1,8 @@ +[Unit] +Description=Renewal ssh host certificate %i + +[Service] +EnvironmentFile=/etc/default/ssh-cert-renew +Type=oneshot +ExecStart=/usr/local/bin/timer-mail -t ${ssh_cert_mail_to} -f ${ssh_cert_mail_from} -s "ssh certificate renewal %i" -ve \ + /etc/systemd/ssh-cert-renew ${ssh_cert_sign_host} /etc/ssh/%i diff --git a/files/ssh-cert-renew@.timer b/files/ssh-host-cert-renew@.timer similarity index 100% rename from files/ssh-cert-renew@.timer rename to files/ssh-host-cert-renew@.timer diff --git a/files/ssh-user-cert-renew@.service b/files/ssh-user-cert-renew@.service new file mode 100644 index 0000000..3595655 --- /dev/null +++ b/files/ssh-user-cert-renew@.service @@ -0,0 +1,10 @@ +[Unit] +Description=Renewal ssh user certificate %i + +[Service] +EnvironmentFile=/etc/default/ssh-cert-renew +EnvironmentFile=-%h/.config/ssh/cert-renew +Type=oneshot +ExecStart=+mkdir -p %h/.config/ssh +ExecStart=/usr/local/bin/timer-mail -t ${ssh_cert_mail_to} -f ${ssh_cert_mail_from} -s "ssh certificate renewal %i" -ve \ + /etc/systemd/ssh-cert-renew ${ssh_cert_sign_host} %h/.ssh/%i diff --git a/files/ssh-user-cert-renew@.timer b/files/ssh-user-cert-renew@.timer new file mode 100644 index 0000000..4d89a49 --- /dev/null +++ b/files/ssh-user-cert-renew@.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Renewal ssh user certificate %i + +[Install] +WantedBy=timers.target + +[Timer] +OnCalendar=4:00 diff --git a/meta/main.yml b/meta/main.yml index 683c7d9..8f34091 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: author: Denis Knauf - description: your role description + description: Provides ssh-certificates for servers as renewal service # issue_tracker_url: http://example.com/issue/tracker license: AGPL-3.0-or-later diff --git a/tasks/main.yml b/tasks/main.yml index 388d98f..f8ab8c2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5,8 +5,6 @@ register: host_pub slurp: src: '{{ssh_cert_host_pub_path}}' - #dest: '{{ssh_cert_base_dir}}/host-{{inventory_hostname}}.pub' - #flat: true - set_fact: host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}' host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}' @@ -23,10 +21,32 @@ user: '{{ssh_ca_user}}' state: present key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}' - key_options: 'restrict,command="/var/lib/sshca/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"' + key_options: 'restrict,command="~/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"' + +- when: ssh_cert_users is defined + block: + - debug: var=ssh_cert_users + - name: Pull users pub + register: users_pub + become: yes + become_user: '{{item.user}}' + #shell: >- + # cat {{ssh_cert_user_pub_path|quote}} + slurp: + src: '{{ssh_cert_user_pub_path}}' + with_items: '{{ssh_cert_users}}' + - name: Register host pub for sshca + remote_user: root + delegate_to: '{{ssh_ca_host}}' + authorized_key: + user: '{{ssh_ca_user}}' + state: present + key: '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}' + key_options: 'restrict,command="~/ssh-ca user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"' + with_items: '{{users_pub.results}}' - name: Push ca pub - copy: + copy: src: '{{ssh_cert_host_capub_path}}' dest: '{{ssh_cert_host_capub_path}}' mode: 0644 @@ -42,7 +62,7 @@ known_hosts: hash_host: false path: /etc/ssh/ssh_known_hosts - name: denkn.at + name: '{{ssh_cert_known_domain}}' key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}" - name: install ssh-cert-renew @@ -53,8 +73,10 @@ owner: root group: root with_dict: - ssh-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer - ssh-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service + ssh-host-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer + ssh-host-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service + ssh-user-cert-renew@.timer: /etc/systemd/user/ssh-cert-renew@.timer + ssh-user-cert-renew@.service: /etc/systemd/user/ssh-cert-renew@.service - name: install ssh-cert-renew copy: dest: '{{item.value}}' @@ -65,7 +87,7 @@ with_dict: ssh-cert-renew: /etc/systemd/ssh-cert-renew -- name: config ssh-cert-renew +- name: config host ssh-cert-renew lineinfile: create: true path: '/etc/default/ssh-cert-renew' @@ -76,7 +98,7 @@ ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}' ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}' -- name: renew ssh-cert +- name: renew host ssh-cert systemd: daemon_reload: true name: "ssh-cert-renew@ssh_host_ed25519_key.service" @@ -90,6 +112,26 @@ - "ssh-cert-renew@ssh_host_ed25519_key.timer" - ssh.service +- when: ssh_cert_users is defined + block: + - name: renew users ssh-cert + become_user: '{{item.user}}' + become: true + systemd: + scope: user + name: "ssh-cert-renew@id_ed25519.service" + state: started + with_items: '{{ssh_cert_users}}' + - name: enable users renewal services + become_user: '{{item.user}}' + become: true + systemd: + scope: user + name: "ssh-cert-renew@id_ed25519.timer" + enabled: true + state: started + with_items: '{{ssh_cert_users}}' + - name: reload ssh service: name: ssh diff --git a/vars/main.yml b/vars/main.yml index 67baa8e..9ce2cc3 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,9 +1,2 @@ -ssh_ca_user: sshca -ssh_ca_base_dir: ~/.ssh-ca -ssh_cert_sign_host: '{{ssh_ca_host}}' -ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub -ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub -ssh_cert_host_capub_path: /etc/ssh/ca.pub -ssh_cert_user_pub_path: ~/.ssh/id_ed25519.pub -ssh_cert_user_cert_path: ~/.ssh/id_ed25519-cert.pub -#ssh_cert_host_addition_ids: [] +--- +# vim: set et sw=2 ts=2 sts=2: