[[advanced:ssh_certificates]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
advanced:ssh_certificates [2021/07/03 16:37] – created danadvanced:ssh_certificates [2022/06/02 11:31] (current) – [systemd unit] dan
Line 13: Line 13:
 In order to configure systems to use your CA, you'll need the hostname or IP address of your CA, and the fingerprint of the root signing cert. If you don't have the latter, you can get it by logging into the CA, finding that certificate (ordinarily it will be at ''%%/etc/step-ca/certs/root_ca.crt%%''), and running ''%%step certificate fingerprint root_ca.crt%%''. In order to configure systems to use your CA, you'll need the hostname or IP address of your CA, and the fingerprint of the root signing cert. If you don't have the latter, you can get it by logging into the CA, finding that certificate (ordinarily it will be at ''%%/etc/step-ca/certs/root_ca.crt%%''), and running ''%%step certificate fingerprint root_ca.crt%%''.
  
-Once installed, configure the system to use your CA by running ''%%step ca bootstrap --ca-url ca.hostname --fingerprint root_certificate_fingerprint%%''. The output should look like this:+Once installed, configure the system to use your CA by running ''%%step ca bootstrap --install --ca-url ca.hostname --fingerprint root_certificate_fingerprint%%''. The output should look like this:
  
 <code> <code>
-[root@neth-lemon ~]# step ca bootstrap --ca-url ca.familybrown.org --fingerprint 2f477e4bd5cddf3908521e57f4884247388123be6c1faae80caf883c1b2a3153+[root@neth-lemon ~]# step ca bootstrap --install --ca-url ca.familybrown.org --fingerprint 2f477e4bd5cddf3908521e57f4884247388123be6c1faae80caf883c1b2a3153
 The root certificate has been saved in /root/.step/certs/root_ca.crt. The root certificate has been saved in /root/.step/certs/root_ca.crt.
 Your configuration has been saved in /root/.step/config/defaults.json. Your configuration has been saved in /root/.step/config/defaults.json.
 +Installing the root certificate in the system truststore... done.
 </code> </code>
 **Repeat this on every client and server you want to use with your SSH certificate authority** **Repeat this on every client and server you want to use with your SSH certificate authority**
Line 70: Line 70:
 ==== systemd unit ==== ==== systemd unit ====
  
-Left for later use+If your system runs systemd, as most modern Linux distributions do, you can instead set up the daily certificate renewal using a systemd timer.  This will require creating both a service and a timer file, and then enabling the latter. 
 + 
 +=== Service file === 
 +Create ''/etc/systemd/system/ssh-host-cert.service'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate 
 +Wants=ssh-host-cert.timer 
 + 
 +[Service] 
 +Type=oneshot 
 +ExecStart=/usr/bin/step ssh renew --force /etc/ssh/ssh_host_ecdsa_key2-cert.pub /etc/ssh/ssh_host_ecdsa_key2 
 +ExecStart=/bin/systemctl restart sshd 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</code> 
 + 
 +=== Timer file === 
 +Create ''/etc/systemd/system/ssh-host-cert.timer'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate daily 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate daily 
 +Requires=ssh-host-cert.service 
 + 
 +[Timer] 
 +OnCalendar= *-*-* 0:0:0 
 +AccuracySec=2h 
 + 
 +[Install] 
 +WantedBy=timers.target 
 +</code> 
 + 
 +=== Enable the timer === 
 +Run ''systemctl daemon-reload'' followed by ''systemctl enable ssh-host-cert.timer''.
  
 ===== Configure sshd to use the cert ===== ===== Configure sshd to use the cert =====
Line 123: Line 163:
 Regenerate the config file, and restart sshd, by running ''%%signal-event nethserver-openssh-update%%''. Regenerate the config file, and restart sshd, by running ''%%signal-event nethserver-openssh-update%%''.
  
-In the renewal script above, replace the last line with ''%%signal-event nethserver-openssh-update%%''.+In the renewal script above, replace the last line with ''%%/sbin/e-smith/signal-event nethserver-openssh-update%%''.
  
 ===== Test ===== ===== Test =====
Line 142: Line 182:
  
 ===== Server configuration ===== ===== Server configuration =====
- 
 First, you'll need to save a copy of the CA's user signing key on your system. To do that, run ''%%step ssh config --roots > /etc/ssh/ssh_user_key.pub%%''. First, you'll need to save a copy of the CA's user signing key on your system. To do that, run ''%%step ssh config --roots > /etc/ssh/ssh_user_key.pub%%''.
 +==== Most Unix-y systems ====
 Next, ''%%nano /etc/ssh/sshd_config%%''. Add these lines to the end: Next, ''%%nano /etc/ssh/sshd_config%%''. Add these lines to the end:
  
Line 153: Line 192:
 </code> </code>
 Restart ''%%sshd%%''. Restart ''%%sshd%%''.
 +==== FreeNAS/TrueNAS systems ==== 
 +Save the User CA key retrieved above in ''%%/root/.step%%'' And instead of editing ''%%sshd_config%%'', you can enter the lines above (correcting the path as appropriate) in the GUI, under **Services**, **SSH**, **Auxilliary Parameters**. 
 +==== Nethserver systems ==== 
 +As noted above, the Nethserver system configuration is generated from templates.  If you set up your system for host certificates as described above, you'll only need to edit the ''80Certificates'' template fragment.  If not, you'll first need to create it.  First run ''%%mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config%%'', then ''%%nano /etc/e-smith/templates-custom/etc/ssh/sshd_config/80Certificates%%'' Add the lines above.  Then ''%%signal-event nethserver-openssh-update%%''.
 ===== Client configuration ===== ===== Client configuration =====
  
 Before you ssh to a host that requires (or accepts) a certificate, you'll need to log in with ''%%step ssh login <username>%%''. Step will ask you for a provisioner. For now, as above, choose the ''%%(JWK)%%'' provisioner and enter its password. The CA will issue you a certificate, valid for 16 hours. Before you ssh to a host that requires (or accepts) a certificate, you'll need to log in with ''%%step ssh login <username>%%''. Step will ask you for a provisioner. For now, as above, choose the ''%%(JWK)%%'' provisioner and enter its password. The CA will issue you a certificate, valid for 16 hours.
  
-The "killer app" feature of Step in this regard is its ability to use OpenID Connect as a provisioner, and therefore use any compatible single sign-on service to authenticate you to the CA. More to follow on that.+The "killer app" feature of Step in this regard is its ability to use OpenID Connect as a provisioner, and therefore use any compatible single sign-on service to authenticate you to the CA. I have it running using LemonLDAP::NG as an authentication provider; [[https://wiki.nethserver.org/doku.php?id=userguide:llng|this article]] describes that process.
  
 ===== Test ===== ===== Test =====
  • advanced/ssh_certificates.1625330233.txt.gz
  • Last modified: 2021/07/03 16:37
  • by dan