LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

roles/ssh_server: multi key and OpenSSH v8 support 

Add support for OpenSSH v8 (ouput of `ssh-keygen` changed slightly) in
module `ssh_cert` and use a better implementation for multiple user CA.

Now we are reading user_ca from `group_vars/all.yaml`.
`user_ca_keys` should be list of each allowed User CA on one host (in
this way is easier to rotate CAs without reissuing keys to each user at
the same time).
The production CA must be the first one in the list. Host certificate
will be checked only against the first CA and updated if their host key
was issued from another CA in the list.

For this reason now we are using a template to create
`/etc/ssh/user_ca.pub` on the target, to preserve the key order.

`group_vars/all.yaml.example` has been updated to reflect the new usage.
python3
Zolfa 5 years ago
parent
1ca84a3319
commit
1ca9f816d8
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
4 changed files with 17 additions and 9 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -2
      group_vars/all.yaml.example
  2. +7
    -1
      library/ssh_cert.py
  3. +2
    -6
      roles/ssh_server/tasks/main.yaml
  4. +4
    -0
      roles/ssh_server/templates/user_ca.pub.j2

+ 4
- 2
group_vars/all.yaml.example View File

@ -3,8 +3,10 @@
management_gateway: 0.0.0.0
# ip of the vm vlan gateway
vm_gateway: 0.0.0.0
# Put here the public key of the users CA.
user_ca_key: ""
# Put here a list of public keys for each allowed users CA.
# The first one should be the current production one.
user_ca_keys:
- ""
# Put here the public ip for your organisation
public_ip: 0.0.0.0
# Put here the domain for your organisation


+ 7
- 1
library/ssh_cert.py View File

@ -24,7 +24,11 @@ def serial(lines):
def signin_ca(lines):
for l in lines:
if l.startswith('Signing CA'):
return l.split().pop()
# return l.split().pop()
# Starting from OpenSSH v8 the output format of ssh-keygen
# has changed, this should work for all versions:
return l.split()[3]
def still_valid(cert_timestamps):
@ -79,6 +83,8 @@ def main():
'-f', result['ca']['path'],
])
# If multiple CA are present verify cert against the first one
ca_output = ca_output.splitlines()[0]
ca_lines = ca_output.decode().split(maxsplit=2)
result['ca']['fingerprint'] = ca_lines[1]
result['ca']['comment'] = ca_lines[2]


+ 2
- 6
roles/ssh_server/tasks/main.yaml View File

@ -8,13 +8,9 @@
- openssh-server
- openssh-sftp-server
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'lilik_ca_s1.pub') }}"
- name: Update container user CA key
copy:
content: "{{ user_ca_key }}"
template:
src: user_ca.pub.j2
dest: "/etc/ssh/user_ca.pub"
notify: restart ssh


+ 4
- 0
roles/ssh_server/templates/user_ca.pub.j2 View File

@ -0,0 +1,4 @@
{% for key in user_ca_keys %}
{{ key }}
{% endfor %}

Write Preview
Loading…
Cancel
Save