Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposition to manage SSH Certificates #177

Open
Clement87 opened this issue Feb 10, 2022 · 2 comments
Open

Proposition to manage SSH Certificates #177

Clement87 opened this issue Feb 10, 2022 · 2 comments
Labels
enhancement

Comments

@Clement87
Copy link

Hi,
I'm using this role in addition to an other one I made to manage SSH Certificats with Principals.
What are your thoughts if I submit a PR.

The change will look something like this:

Add 3 tasks

- name: Copy Trusted user CA Keys
  ansible.builtin.template:
    src: "trusted-user-ca-keys.pem.j2"
    dest: "/etc/ssh/trusted-user-ca-keys.pem"
  when: sshd_trusted_user_ca_keys_list is not none

- name: Create Pincipals directory
  ansible.builtin.file:
    path: /etc/ssh/auth_principals/
    state: directory
    mode: '0755'
  when: sshd_principals is not none

- name: Copy Pincipals files
  ansible.builtin.template:
    src: "auth_principals.j2"
    dest: "/etc/ssh/auth_principals/{{ item.key }}"
    mode: '0644'
  loop: "{{ q('dict', sshd_principals) }}"
  when: sshd_principals is not none

Add 2 templates

trusted-user-ca-keys.pem.j2

{% for key in sshd_trusted_user_ca_keys_list %}
{{ key }}
{% endfor %}

auth_principals.j2

{% for principal in item.value %}
{{ principal }}
{% endfor %}

Example of values

sshd_trusted_user_ca_keys_list:
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxITsDG2UVFYMUfh4Q==

# Key is the user in the os, values are *Principals* defined in the certificate
sshd_principals:
  admin:
    - frontend-admin
    - backend-admin
  somelinuxuser: 
    - some-principal-defined-in-certificate

And of course, we would like to set this configuration:

sshd:
  PasswordAuthentication: no
  TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pem
  AuthorizedPrincipalsFile: "/etc/ssh/auth_principals/%u"

To learn more about SSH Certificate, here is a nice tutorial from Hashicorp

Best,
Clement
@Jakuje
Copy link
Collaborator

Jakuje commented Mar 17, 2022

I think this is a good idea. I had the certificate use case in my mind for some time already but as I did not have any practical experience with this, I did not want to force some artificial workflow.

From the current proposal, I would certainly like to have the /etc/ssh/auth_principals/ configurable. It should be on one place so one does not have to enter the path in all sshd.AuthorizedPrincipalsFile and two places in tasks above. Similarly for the path for /etc/ssh/trusted-user-ca-keys.pem. And does it need to have the pem extension when it is not a PEM file?

I would also like to see some tests to verify this works correctly on all supported/tested distributions (but its harder with containers in github actions).

From what I see, this only deploys the User CA on the system and configures principals. This is the easy part. Did you think about implementing the host CA?

@EmyLIEUTAUD
Copy link
Contributor

The pull request is done : #252

Implementation of Host CA is not yet planned. We need to test different solutions to find the best way to do it.

If you have any suggestions or comments, please do not hesitate .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Clement87 @Jakuje @EmyLIEUTAUD