pim/ansible-role-ssh-ca
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

support for arbitrary number of CA key pair

Browse source
This commit is contained in:
Pim Kunis 2023-04-25 17:45:23 +02:00
parent 383001d563
commit 836d926e43
3 changed files with 21 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -19,7 +19,7 @@ Notable, it has the following limitations:
The following variables must be set before calling the role: The following variables must be set before calling the role:
- `ssh_ca_dir`: Working directory for the certificate authority - `ssh_ca_dir`: Working directory for the certificate authority
- `ssh_ca_user_ca_private_key`: Private key of the SSH user CA - `ssh_ca_key_pair`: List of CA key pairs
- `ssh_ca_user_ca_public_key`: Public key of the SSH user CA - `name`: File name of the CA key pair
- `ssh_ca_host_ca_private_key`: Private key of the SSH host CA - `public_key`: Public key contents on the key pair
- `ssh_ca_host_ca_public_key`: Public key of the SSH host CA - `private_key`: Private key contents on the key pair

26
tasks/main.yml
View file

@ -16,26 +16,16 @@
path: "{{ ssh_ca_dir }}/keys" path: "{{ ssh_ca_dir }}/keys"
state: directory state: directory
- name: Copy user CA private key - name: Copy private keys
copy: copy:
dest: "{{ ssh_ca_dir }}/keys/user_ca" dest: "{{ ssh_ca_dir }}/keys/{{ item.name }}"
content: "{{ ssh_ca_user_ca_private_key }}" content: "{{ item.private_key }}"
mode: 0600 mode: 0600
with_items: "{{ ssh_ca_key_pairs }}"
- name: Copy host CA private key - name: Copy public keys
copy: copy:
dest: "{{ ssh_ca_dir }}/keys/host_ca" dest: "{{ ssh_ca_dir }}/keys/{{ item.name }}.pub"
content: "{{ ssh_ca_host_ca_private_key }}" content: "{{ item.public_key }}"
mode: 0600
- name: Copy user CA public key
copy:
dest: "{{ ssh_ca_dir }}/keys/user_ca.pub"
content: "{{ ssh_ca_user_ca_public_key }}"
mode: 0644
- name: Copy host CA public key
copy:
dest: "{{ ssh_ca_dir }}/keys/host_ca.pub"
content: "{{ ssh_ca_host_ca_public_key }}"
mode: 0644 mode: 0644
with_items: "{{ ssh_ca_key_pairs }}"

16
templates/ssh_ca.sh.j2
View file

@ -3,22 +3,24 @@ set -euo pipefail
IFS=$'\n\t' IFS=$'\n\t'
host() { host() {
PUBKEY="$2" CAKEY="$2"
HOST="$3" PUBKEY="$3"
HOST="$4"
echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub
ssh-keygen -h -s {{ ssh_ca_dir }}/keys/host_ca -I "$HOST" -n "$HOST" {{ ssh_ca_dir }}/"$HOST".pub ssh-keygen -h -s {{ ssh_ca_dir }}/keys/"$CAKEY" -I "$HOST" -n "$HOST" {{ ssh_ca_dir }}/"$HOST".pub
cat {{ ssh_ca_dir }}/"$HOST"-cert.pub cat {{ ssh_ca_dir }}/"$HOST"-cert.pub
rm {{ ssh_ca_dir }}/"$HOST"*.pub rm {{ ssh_ca_dir }}/"$HOST"*.pub
} }
user() { user() {
PUBKEY="$2" CAKEY="$2"
HOST="$3" PUBKEY="$3"
PRINCIPALS="$4" HOST="$4"
PRINCIPALS="$5"
echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub
ssh-keygen -s {{ ssh_ca_dir }}/keys/user_ca -I "$HOST" -n "$HOST","$PRINCIPALS" {{ ssh_ca_dir }}/"$HOST".pub ssh-keygen -s {{ ssh_ca_dir }}/keys/"$CAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" {{ ssh_ca_dir }}/"$HOST".pub
cat {{ ssh_ca_dir }}/"$HOST"-cert.pub cat {{ ssh_ca_dir }}/"$HOST"-cert.pub
rm {{ ssh_ca_dir }}/"$HOST"*.pub rm {{ ssh_ca_dir }}/"$HOST"*.pub
} }