[[advanced:ssh_certificates]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
advanced:ssh_certificates [2021/07/24 14:54] – [Client configuration] danadvanced:ssh_certificates [2022/06/02 11:31] (current) – [systemd unit] dan
Line 70: Line 70:
 ==== systemd unit ==== ==== systemd unit ====
  
-Left for later use+If your system runs systemd, as most modern Linux distributions do, you can instead set up the daily certificate renewal using a systemd timer.  This will require creating both a service and a timer file, and then enabling the latter. 
 + 
 +=== Service file === 
 +Create ''/etc/systemd/system/ssh-host-cert.service'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate 
 +Wants=ssh-host-cert.timer 
 + 
 +[Service] 
 +Type=oneshot 
 +ExecStart=/usr/bin/step ssh renew --force /etc/ssh/ssh_host_ecdsa_key2-cert.pub /etc/ssh/ssh_host_ecdsa_key2 
 +ExecStart=/bin/systemctl restart sshd 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</code> 
 + 
 +=== Timer file === 
 +Create ''/etc/systemd/system/ssh-host-cert.timer'' with the following contents: 
 +<code> 
 +# Renew SSH host certificate daily 
 +#  
 + 
 +[Unit] 
 +Description=Renew SSH host certificate daily 
 +Requires=ssh-host-cert.service 
 + 
 +[Timer] 
 +OnCalendar= *-*-* 0:0:0 
 +AccuracySec=2h 
 + 
 +[Install] 
 +WantedBy=timers.target 
 +</code> 
 + 
 +=== Enable the timer === 
 +Run ''systemctl daemon-reload'' followed by ''systemctl enable ssh-host-cert.timer''.
  
 ===== Configure sshd to use the cert ===== ===== Configure sshd to use the cert =====
  • advanced/ssh_certificates.1627138441.txt.gz
  • Last modified: 2021/07/24 14:54
  • by dan