[[advanced:ssh_certificates]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
advanced:ssh_certificates [2021/07/03 22:12] – [Install the step CLI Utility] add --install danadvanced:ssh_certificates [2022/06/01 20:35] – [systemd unit] dan
Line 70: Line 70:
 ==== systemd unit ==== ==== systemd unit ====
  
-Left for later use+If your system runs systemd, as most modern Linux distributions do, you can instead set up the daily certificate renewal using a systemd timer.  This will require creating both a service and a timer file, and then enabling the latter. 
 + 
 +=== Service file === 
 +Create ''/etc/systemd/system/ssh-host-cert.service'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate 
 +Wants=ssh-host-cert.timer 
 + 
 +[Service] 
 +Type=oneshot 
 +ExecStart=/usr/local/bin/step ssh renew --force /etc/ssh/ssh_host_ecdsa_key2-cert.pub /etc/ssh/ssh_host_ecdsa_key2 
 +ExecStart=/bin/systemctl restart sshd 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</code> 
 + 
 +=== Timer file === 
 +Create ''/etc/systemd/system/ssh-host-cert.timer'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate daily 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate daily 
 +Requires=ssh-host-cert.service 
 + 
 +[Timer] 
 +OnCalendar= *-*-* 0:0:0 
 +AccuracySec=2h 
 + 
 +[Install] 
 +WantedBy=timers.target 
 +</code> 
 + 
 +=== Enable the timer === 
 +Run ''systemctl daemon-reload'' followed by ''systemctl enable ssh-host-cert.timer''.
  
 ===== Configure sshd to use the cert ===== ===== Configure sshd to use the cert =====
Line 123: Line 163:
 Regenerate the config file, and restart sshd, by running ''%%signal-event nethserver-openssh-update%%''. Regenerate the config file, and restart sshd, by running ''%%signal-event nethserver-openssh-update%%''.
  
-In the renewal script above, replace the last line with ''%%signal-event nethserver-openssh-update%%''.+In the renewal script above, replace the last line with ''%%/sbin/e-smith/signal-event nethserver-openssh-update%%''.
  
 ===== Test ===== ===== Test =====
Line 160: Line 200:
 Before you ssh to a host that requires (or accepts) a certificate, you'll need to log in with ''%%step ssh login <username>%%''. Step will ask you for a provisioner. For now, as above, choose the ''%%(JWK)%%'' provisioner and enter its password. The CA will issue you a certificate, valid for 16 hours. Before you ssh to a host that requires (or accepts) a certificate, you'll need to log in with ''%%step ssh login <username>%%''. Step will ask you for a provisioner. For now, as above, choose the ''%%(JWK)%%'' provisioner and enter its password. The CA will issue you a certificate, valid for 16 hours.
  
-The "killer app" feature of Step in this regard is its ability to use OpenID Connect as a provisioner, and therefore use any compatible single sign-on service to authenticate you to the CA. More to follow on that.+The "killer app" feature of Step in this regard is its ability to use OpenID Connect as a provisioner, and therefore use any compatible single sign-on service to authenticate you to the CA. I have it running using LemonLDAP::NG as an authentication provider; [[https://wiki.nethserver.org/doku.php?id=userguide:llng|this article]] describes that process.
  
 ===== Test ===== ===== Test =====
  • advanced/ssh_certificates.txt
  • Last modified: 2022/06/02 11:31
  • by dan