[[advanced:ssh_certificates]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
advanced:ssh_certificates [2021/07/03 22:12] – [Install the step CLI Utility] add --install danadvanced:ssh_certificates [2022/06/02 11:31] (current) – [systemd unit] dan
Line 70: Line 70:
 ==== systemd unit ==== ==== systemd unit ====
  
-Left for later use+If your system runs systemd, as most modern Linux distributions do, you can instead set up the daily certificate renewal using a systemd timer.  This will require creating both a service and a timer file, and then enabling the latter. 
 + 
 +=== Service file === 
 +Create ''/etc/systemd/system/ssh-host-cert.service'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate 
 +Wants=ssh-host-cert.timer 
 + 
 +[Service] 
 +Type=oneshot 
 +ExecStart=/usr/bin/step ssh renew --force /etc/ssh/ssh_host_ecdsa_key2-cert.pub /etc/ssh/ssh_host_ecdsa_key2 
 +ExecStart=/bin/systemctl restart sshd 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</code> 
 + 
 +=== Timer file === 
 +Create ''/etc/systemd/system/ssh-host-cert.timer'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate daily 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate daily 
 +Requires=ssh-host-cert.service 
 + 
 +[Timer] 
 +OnCalendar= *-*-* 0:0:0 
 +AccuracySec=2h 
 + 
 +[Install] 
 +WantedBy=timers.target 
 +</code> 
 + 
 +=== Enable the timer === 
 +Run ''systemctl daemon-reload'' followed by ''systemctl enable ssh-host-cert.timer''.
  
 ===== Configure sshd to use the cert ===== ===== Configure sshd to use the cert =====
Line 123: Line 163:
 Regenerate the config file, and restart sshd, by running ''%%signal-event nethserver-openssh-update%%''. Regenerate the config file, and restart sshd, by running ''%%signal-event nethserver-openssh-update%%''.
  
-In the renewal script above, replace the last line with ''%%signal-event nethserver-openssh-update%%''.+In the renewal script above, replace the last line with ''%%/sbin/e-smith/signal-event nethserver-openssh-update%%''.
  
 ===== Test ===== ===== Test =====
Line 160: Line 200:
 Before you ssh to a host that requires (or accepts) a certificate, you'll need to log in with ''%%step ssh login <username>%%''. Step will ask you for a provisioner. For now, as above, choose the ''%%(JWK)%%'' provisioner and enter its password. The CA will issue you a certificate, valid for 16 hours. Before you ssh to a host that requires (or accepts) a certificate, you'll need to log in with ''%%step ssh login <username>%%''. Step will ask you for a provisioner. For now, as above, choose the ''%%(JWK)%%'' provisioner and enter its password. The CA will issue you a certificate, valid for 16 hours.
  
-The "killer app" feature of Step in this regard is its ability to use OpenID Connect as a provisioner, and therefore use any compatible single sign-on service to authenticate you to the CA. More to follow on that.+The "killer app" feature of Step in this regard is its ability to use OpenID Connect as a provisioner, and therefore use any compatible single sign-on service to authenticate you to the CA. I have it running using LemonLDAP::NG as an authentication provider; [[https://wiki.nethserver.org/doku.php?id=userguide:llng|this article]] describes that process.
  
 ===== Test ===== ===== Test =====
  • advanced/ssh_certificates.1625350373.txt.gz
  • Last modified: 2021/07/03 22:12
  • by dan