Find a file
Denis Knauf 202f8b40da meta
2020-09-16 14:23:32 +02:00
defaults init 2020-09-16 14:19:19 +02:00
files init 2020-09-16 14:19:19 +02:00
handlers init 2020-09-16 14:19:19 +02:00
meta meta 2020-09-16 14:23:32 +02:00
tasks init 2020-09-16 14:19:19 +02:00
tests init 2020-09-16 14:19:19 +02:00
vars init 2020-09-16 14:19:19 +02:00
.gitignore Initial commit 2020-09-16 13:24:18 +02:00
LICENSE Initial commit 2020-09-16 13:24:18 +02:00
README.adoc init 2020-09-16 14:19:19 +02:00

ssh_cert
========

Implements SSH-Certificate-renewal on hosts.
The renewal-process connects to ssh-ca-host and fetches a new certificate, if needed.

These renewal can be used for host-certificates and user-certificates.

Prepares `sshd_config` to use the CA and the host-certificate.

Requirements
------------

systemd is required, so it would not work on alpine or openwrt, yet.

Role Variables
--------------

ssh_ca_host::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.

ssh_ca_user::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `sshca`

ssh_ca_base_dir::
Path to CA base on ssh-ca-host.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `~/.ssh-ca`

ssh_cert_mail_to::
If you want to be informed on renewal or errors, provide a mailto-address.
Mandatory, yet.

ssh_cert_mail_from::
If you want to be informed on renewal or errors, provide an address of sender.
Mandatory, yet.

ssh_cert_sign_host::
Default: `{{ssh_ca_user}}@{{ssh_ca_host}}`

ssh_cert_host_pub_path::
Path to host-key-pub on host-machine.
Would be used like a CSR.
Default: `/etc/ssh/ssh_host_ed25519_key.pub`

ssh_cert_host_cert_path::
Where to place the host-certificate on host-machine?
Default: `/etc/ssh/ssh_host_ed25519_key-cert.pub`

ssh_cert_host_capub_path::
Where to place the CA on host-machine?
Default: `/etc/ssh/ca.pub`

ssh_cert_user_pub_path::
Path to user-key-pub on host-machine.
Would be used like a CSR.
Default: `~/.ssh/id_ed25519.pub`

ssh_cert_user_cert_path::
Where to place the user-certificate on host-machine?
Default: `~/.ssh/id_ed25519-cert.pub`

ssh_cert_host_addition_ids::
Additional IDs (as list) placed in certificate.
For host-keys, additional hostnames like `git.example.net`.
Default is empty.

Dependencies
------------

* ssh-ca

Example Playbook
----------------

Optional, use ssh-ca-role before:

----
- name: SSH-CA
  hosts: ssh_ca_server
	roles:
	- role: ssh-ca
----

This you need only on one machine.

Then use the regular role:

----
- name: SSH-Cert
  hosts: hosts
	roles:
	- role: ssh-cert
----

License
-------

AGPLv3

Author Information
------------------

Denis Knauf - https://git.denkn.at/deac/ansible-role-ssh-cert