From 20d0299e32e64016ef99141f912ebaf5474bfec5 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 4 Apr 2023 09:26:16 +0200 Subject: [PATCH] add ssh ca --- ansible/ansible.cfg | 1 + ansible/hermes.yml | 1 + ansible/roles/ssh/files/ca.sh | 29 ++++++++++++++++++++ ansible/roles/ssh/files/keys/host_ca_key | 27 ++++++++++++++++++ ansible/roles/ssh/files/keys/host_ca_key.pub | 1 + ansible/roles/ssh/files/keys/user_ca_key | 27 ++++++++++++++++++ ansible/roles/ssh/files/keys/user_ca_key.pub | 1 + ansible/roles/ssh/tasks/main.yml | 8 ++++++ ansible/util/secret-service-client.sh | 9 ++++++ 9 files changed, 104 insertions(+) create mode 100755 ansible/roles/ssh/files/ca.sh create mode 100644 ansible/roles/ssh/files/keys/host_ca_key create mode 100644 ansible/roles/ssh/files/keys/host_ca_key.pub create mode 100644 ansible/roles/ssh/files/keys/user_ca_key create mode 100644 ansible/roles/ssh/files/keys/user_ca_key.pub create mode 100644 ansible/roles/ssh/tasks/main.yml create mode 100755 ansible/util/secret-service-client.sh diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 7c6f1c2..56c7e01 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -2,6 +2,7 @@ roles_path=roles inventory=inventory interpreter_python=/usr/bin/python3 +vault_password_file=util/secret-service-client.sh [diff] always = True diff --git a/ansible/hermes.yml b/ansible/hermes.yml index 0338a47..3e90e95 100644 --- a/ansible/hermes.yml +++ b/ansible/hermes.yml @@ -39,3 +39,4 @@ roles: - dnsmasq - nsd + - ssh diff --git a/ansible/roles/ssh/files/ca.sh b/ansible/roles/ssh/files/ca.sh new file mode 100755 index 0000000..0a4db50 --- /dev/null +++ b/ansible/roles/ssh/files/ca.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + +HOSTCAKEY=/root/.ssh/host_ca_key +USERCAKEY=/root/.ssh/user_ca_key + +host() { + PUBKEY="$2" + HOST="$3" + + echo "$PUBKEY" > /tmp/"$HOST".pub + ssh-keygen -h -s "$HOSTCAKEY" -I "$HOST" -n "$HOST" /tmp/"$HOST".pub + cat /tmp/"$HOST"-cert.pub + rm /tmp/"$HOST"*.pub +} + +user() { + PUBKEY="$2" + HOST="$3" + PRINCIPALS="$4" + + echo "$PUBKEY" > /tmp/"$HOST".pub + ssh-keygen -s "$USERCAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" /tmp/"$HOST".pub + cat /tmp/"$HOST"-cert.pub + rm /tmp/"$HOST"*.pub +} + +"$1" "$@" diff --git a/ansible/roles/ssh/files/keys/host_ca_key b/ansible/roles/ssh/files/keys/host_ca_key new file mode 100644 index 0000000..9942088 --- /dev/null +++ b/ansible/roles/ssh/files/keys/host_ca_key @@ -0,0 +1,27 @@ +$ANSIBLE_VAULT;1.1;AES256 +65393830356161326338323139306466316362303835393833383633363431303639393835666538 +6639653036666261363236393832343236656531633261360a333664363033356432386439336630 +65336333666662633635316565363366353530653831383937616566386165346663393938386530 +3233613134343331350a363163383831396265646333336334366664353164386538313031393230 +61356239333863366665396131633039663161306536386636336631646238303164303565653331 +64353465633235396261333739643635306530333665313330633936643966363539646636376630 +32303233303437393662393161313330333331396666613133633964393335393035363536373464 +36323334393235626561333262373639353332663337393562356562656662373833633833636466 +65373739663764623962323630623866363563626536313436346532643332646238393237396439 +35623961336266333037636532663833653466346264326330616135346234643363636662396630 +30613132633237333633636361323937643338323738386231383561613237646436333336383562 +61316232393864316236616561333139626463373962303134366131653439656638636365633930 +33353565373066623763346139663238346237376461613834323839336533653936646532316437 +66303565346665303335656233663735333630643963656637363934626336323361356639616430 +32323133396165356237613062313864313534323364663232636566373332633461316461346435 +32663862353439653764616461646463336639646636333862663832656131356536666233396638 +63613439636432306164393737353033383661623733646231313238303863376362376334656262 +33336132373139333030333533633032353564336666663237333135376532396165653831663537 +32653836373034383965653431646137633638633465626164386638323466636238393665303964 +35366432643962613063326338373031393036643437663438356339386662303362333062343730 +65646535373833343831633164666563616561633833353739643963633265396561386462336234 +66323330363662653235333464623965653635323437613734366231386331363461643262366565 +37626536623832323162363862363632666164353138616362386562393530623265303936656364 +65633463363935393838333338303239333538393865653338396635393262623636616364323133 +66333165616364356235303431316232666330313933386331383435663939386331626635316537 +3964323534326563303636616135663137373365663365663931 diff --git a/ansible/roles/ssh/files/keys/host_ca_key.pub b/ansible/roles/ssh/files/keys/host_ca_key.pub new file mode 100644 index 0000000..4a19643 --- /dev/null +++ b/ansible/roles/ssh/files/keys/host_ca_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ diff --git a/ansible/roles/ssh/files/keys/user_ca_key b/ansible/roles/ssh/files/keys/user_ca_key new file mode 100644 index 0000000..cf8ef0c --- /dev/null +++ b/ansible/roles/ssh/files/keys/user_ca_key @@ -0,0 +1,27 @@ +$ANSIBLE_VAULT;1.1;AES256 +36306261333262396466633565653163323239396630653031343331653337376433356461613064 +3333316136343033396131356638666661623464333333310a636264616339363366386633663965 +64336437316366333363396162376337653537376365306638316166663437643731613935353137 +6138306232396134310a373962653330613331653830343766613435363339343438636665306633 +39633061303937313962323839336437653763336164616433353831646663393764373933306565 +38633335373863363437313531393530333562336430636261656564306563343537313264366436 +32653932356263333938386231333134303633333666343531616332376632343462316335643732 +30386465626533363333626162386331626436373935386537393335666437633166303838663264 +61353532306161343630303233336463376266366463313039343262656333663936333338373633 +31353361356232356637333466316634623739323335613433356362333565646138373838663034 +39363734623537633133393836323261353461623562386235646566303162373235623534383238 +33363264386438393563613639333336323963363733346665663430626335346334386233396236 +34636164653264386266393561303037646464646136313861343438636437626166333361613262 +66333333303139653639383963373731613639643837363639353264376230616264313930396434 +39303863653939613333323739363263383531333539333334306632323865646131653030356365 +38363530656131646431616661616137386161613033643664336661343531333933326339656636 +61356337393936623462323039343534656565353466353565653838666336306266313131316435 +39333739313262646462663531663234633066333033666461306434313166366533353865313530 +31326334383138383332366665383965633838636436646230323931646136336234636631313138 +33363062393632393830383231333166373032386163316633613061643166663266396131333838 +30316439373834356230633566323966376336363362346338323237343637393765323237373832 +61626432653935663230663261343037363037646539623330383235376231303738323132306131 +33646237633164356332366664353763623839623738633230613837356330393535346236383165 +35376631313332356164636336336439386432326337663436373661613264306135313961623434 +37386335663332613435626233333037316466363730623065633336666436343433326564333264 +6231373332643633346235663930616439653238396331626564 diff --git a/ansible/roles/ssh/files/keys/user_ca_key.pub b/ansible/roles/ssh/files/keys/user_ca_key.pub new file mode 100644 index 0000000..71ab782 --- /dev/null +++ b/ansible/roles/ssh/files/keys/user_ca_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..b8b9872 --- /dev/null +++ b/ansible/roles/ssh/tasks/main.yml @@ -0,0 +1,8 @@ +- name: Copy ca.sh + copy: + src: "{{ role_path }}/files/ca.sh" + dest: /root/ca.sh +- name: Copy keys + copy: + src: "{{ role_path }}/files/keys/" + dest: /root/.ssh/ diff --git a/ansible/util/secret-service-client.sh b/ansible/util/secret-service-client.sh new file mode 100755 index 0000000..5743a9d --- /dev/null +++ b/ansible/util/secret-service-client.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +pass=`secret-tool lookup ansible_vault hermes` +retval=$? + +if [ $retval -ne 0 ]; then + read -s pass +fi +echo $pass