ssh_cert
========
Implements SSH-Certificate-renewal on hosts.
The renewal-process connects to ssh-ca-host and fetches a new certificate, if needed.
These renewal can be used for host-certificates and user-certificates.
Prepares `sshd_config` to use the CA and the host-certificate.
Requirements
------------
systemd is required, so it would not work on alpine or openwrt, yet.
Role Variables
--------------
ssh_ca_host::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
ssh_ca_user::
Hostmachine for CA.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `sshca`
ssh_ca_base_dir::
Path to CA base on ssh-ca-host.
This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role.
Default: `~/.ssh-ca`
ssh_cert_mail_to::
If you want to be informed on renewal or errors, provide a mailto-address.
Mandatory, yet.
ssh_cert_mail_from::
If you want to be informed on renewal or errors, provide an address of sender.
Mandatory, yet.
ssh_cert_sign_host::
Default: `{{ssh_ca_user}}@{{ssh_ca_host}}`
ssh_cert_host_pub_path::
Path to host-key-pub on host-machine.
Would be used like a CSR.
Default: `/etc/ssh/ssh_host_ed25519_key.pub`
ssh_cert_host_cert_path::
Where to place the host-certificate on host-machine?
Default: `/etc/ssh/ssh_host_ed25519_key-cert.pub`
ssh_cert_host_capub_path::
Where to place the CA on host-machine?
Default: `/etc/ssh/ca.pub`
ssh_cert_user_pub_path::
Path to user-key-pub on host-machine.
Would be used like a CSR.
Default: `~/.ssh/id_ed25519.pub`
ssh_cert_user_cert_path::
Where to place the user-certificate on host-machine?
Default: `~/.ssh/id_ed25519-cert.pub`
ssh_cert_host_addition_ids::
Additional IDs (as list) placed in certificate.
For host-keys, additional hostnames like `git.example.net`.
Default is empty.
Dependencies
------------
* ssh-ca
Example Playbook
----------------
Optional, use ssh-ca-role before:
----
- name: SSH-CA
hosts: ssh_ca_server
roles:
- role: ssh-ca
----
This you need only on one machine.
Then use the regular role:
----
- name: SSH-Cert
hosts: hosts
roles:
- role: ssh-cert
----
License
-------
AGPLv3
Author Information
------------------
Denis Knauf - https://git.denkn.at/deac/ansible-role-ssh-cert