106 lines
2.3 KiB
Plaintext
106 lines
2.3 KiB
Plaintext
ssh_cert
|
|
========
|
|
|
|
Implements SSH-Certificate-renewal on hosts.
|
|
The renewal-process connects to ssh-ca-host and fetches a new certificate, if needed.
|
|
|
|
These renewal can be used for host-certificates and user-certificates.
|
|
|
|
Prepares `sshd_config` to use the CA and the host-certificate.
|
|
|
|
Requirements
|
|
------------
|
|
|
|
systemd is required, so it would not work on alpine or openwrt, yet.
|
|
|
|
Role Variables
|
|
--------------
|
|
|
|
ssh_ca_host::
|
|
Hostmachine for CA.
|
|
This is not host-specific, so you should change it for all hosts or neither.
|
|
Must match with `ssh_ca`-role.
|
|
|
|
ssh_ca_user::
|
|
Hostmachine for CA.
|
|
This is not host-specific, so you should change it for all hosts or neither.
|
|
Must match with `ssh_ca`-role.
|
|
Default: `sshca`
|
|
|
|
ssh_ca_base_dir::
|
|
Path to CA base on ssh-ca-host.
|
|
This is not host-specific, so you should change it for all hosts or neither.
|
|
Must match with `ssh_ca`-role.
|
|
Default: `~/.ssh-ca`
|
|
**Do not change!**
|
|
|
|
ssh_cert_known_domain::
|
|
Adds domain to trust by this CA.
|
|
|
|
ssh_cert_mail_to::
|
|
If you want to be informed on renewal or errors, provide a mailto-address.
|
|
Mandatory, yet.
|
|
|
|
ssh_cert_mail_from::
|
|
If you want to be informed on renewal or errors, provide an address of sender.
|
|
Mandatory, yet.
|
|
|
|
ssh_cert_sign_host::
|
|
Default: `{{ssh_ca_user}}@{{ssh_ca_host}}`
|
|
|
|
ssh_cert_host_pub_path::
|
|
Path to host-key-pub on host-machine.
|
|
Would be used like a CSR.
|
|
Default: `/etc/ssh/ssh_host_ed25519_key.pub`
|
|
|
|
ssh_cert_host_cert_path::
|
|
Where to place the host-certificate on host-machine?
|
|
Default: `/etc/ssh/ssh_host_ed25519_key-cert.pub`
|
|
|
|
ssh_cert_host_capub_path::
|
|
Where to place the CA on host-machine?
|
|
Default: `/etc/ssh/ca.pub`
|
|
|
|
ssh_cert_user_pub_path::
|
|
Path to user-key-pub on host-machine.
|
|
Would be used like a CSR.
|
|
Default: `~/.ssh/id_ed25519.pub`
|
|
|
|
ssh_cert_user_cert_path::
|
|
Where to place the user-certificate on host-machine?
|
|
Default: `~/.ssh/id_ed25519-cert.pub`
|
|
|
|
ssh_cert_host_addition_ids::
|
|
Additional IDs (as list) placed in certificate.
|
|
For host-keys, additional hostnames like `git.example.net`.
|
|
Default is empty.
|
|
|
|
Dependencies
|
|
------------
|
|
|
|
* ssh-ca
|
|
|
|
Example Playbook
|
|
----------------
|
|
|
|
Optional, use ssh-ca-role before.
|
|
|
|
Then use the regular role:
|
|
|
|
----
|
|
- name: SSH-Cert
|
|
hosts: hosts
|
|
roles:
|
|
- role: ssh-cert
|
|
----
|
|
|
|
License
|
|
-------
|
|
|
|
AGPLv3
|
|
|
|
Author Information
|
|
------------------
|
|
|
|
Denis Knauf - https://git.denkn.at/deac/ansible-role-ssh-cert
|