support for arbitrary number of CA key pair
This commit is contained in:
parent
383001d563
commit
836d926e43
3 changed files with 21 additions and 29 deletions
|
|
@ -19,7 +19,7 @@ Notable, it has the following limitations:
|
|||
The following variables must be set before calling the role:
|
||||
|
||||
- `ssh_ca_dir`: Working directory for the certificate authority
|
||||
- `ssh_ca_user_ca_private_key`: Private key of the SSH user CA
|
||||
- `ssh_ca_user_ca_public_key`: Public key of the SSH user CA
|
||||
- `ssh_ca_host_ca_private_key`: Private key of the SSH host CA
|
||||
- `ssh_ca_host_ca_public_key`: Public key of the SSH host CA
|
||||
- `ssh_ca_key_pair`: List of CA key pairs
|
||||
- `name`: File name of the CA key pair
|
||||
- `public_key`: Public key contents on the key pair
|
||||
- `private_key`: Private key contents on the key pair
|
||||
|
|
|
|||
|
|
@ -16,26 +16,16 @@
|
|||
path: "{{ ssh_ca_dir }}/keys"
|
||||
state: directory
|
||||
|
||||
- name: Copy user CA private key
|
||||
- name: Copy private keys
|
||||
copy:
|
||||
dest: "{{ ssh_ca_dir }}/keys/user_ca"
|
||||
content: "{{ ssh_ca_user_ca_private_key }}"
|
||||
dest: "{{ ssh_ca_dir }}/keys/{{ item.name }}"
|
||||
content: "{{ item.private_key }}"
|
||||
mode: 0600
|
||||
with_items: "{{ ssh_ca_key_pairs }}"
|
||||
|
||||
- name: Copy host CA private key
|
||||
- name: Copy public keys
|
||||
copy:
|
||||
dest: "{{ ssh_ca_dir }}/keys/host_ca"
|
||||
content: "{{ ssh_ca_host_ca_private_key }}"
|
||||
mode: 0600
|
||||
|
||||
- name: Copy user CA public key
|
||||
copy:
|
||||
dest: "{{ ssh_ca_dir }}/keys/user_ca.pub"
|
||||
content: "{{ ssh_ca_user_ca_public_key }}"
|
||||
mode: 0644
|
||||
|
||||
- name: Copy host CA public key
|
||||
copy:
|
||||
dest: "{{ ssh_ca_dir }}/keys/host_ca.pub"
|
||||
content: "{{ ssh_ca_host_ca_public_key }}"
|
||||
dest: "{{ ssh_ca_dir }}/keys/{{ item.name }}.pub"
|
||||
content: "{{ item.public_key }}"
|
||||
mode: 0644
|
||||
with_items: "{{ ssh_ca_key_pairs }}"
|
||||
|
|
|
|||
|
|
@ -3,22 +3,24 @@ set -euo pipefail
|
|||
IFS=$'\n\t'
|
||||
|
||||
host() {
|
||||
PUBKEY="$2"
|
||||
HOST="$3"
|
||||
CAKEY="$2"
|
||||
PUBKEY="$3"
|
||||
HOST="$4"
|
||||
|
||||
echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub
|
||||
ssh-keygen -h -s {{ ssh_ca_dir }}/keys/host_ca -I "$HOST" -n "$HOST" {{ ssh_ca_dir }}/"$HOST".pub
|
||||
ssh-keygen -h -s {{ ssh_ca_dir }}/keys/"$CAKEY" -I "$HOST" -n "$HOST" {{ ssh_ca_dir }}/"$HOST".pub
|
||||
cat {{ ssh_ca_dir }}/"$HOST"-cert.pub
|
||||
rm {{ ssh_ca_dir }}/"$HOST"*.pub
|
||||
}
|
||||
|
||||
user() {
|
||||
PUBKEY="$2"
|
||||
HOST="$3"
|
||||
PRINCIPALS="$4"
|
||||
CAKEY="$2"
|
||||
PUBKEY="$3"
|
||||
HOST="$4"
|
||||
PRINCIPALS="$5"
|
||||
|
||||
echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub
|
||||
ssh-keygen -s {{ ssh_ca_dir }}/keys/user_ca -I "$HOST" -n "$HOST","$PRINCIPALS" {{ ssh_ca_dir }}/"$HOST".pub
|
||||
ssh-keygen -s {{ ssh_ca_dir }}/keys/"$CAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" {{ ssh_ca_dir }}/"$HOST".pub
|
||||
cat {{ ssh_ca_dir }}/"$HOST"-cert.pub
|
||||
rm {{ ssh_ca_dir }}/"$HOST"*.pub
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue