Add initial SSH certificates

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2017-04-09 22:29:14 +00:00 · 2017-04-09 22:29:14 +00:00 · c96d44b232
commit c96d44b232
parent 3fd69824cb
2 changed files with 117 additions and 0 deletions
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -129,6 +129,9 @@
  - selinux
  - base

+- name: Set up SSH certificates
+  include: sshcerts.yml
+
 - name: sshd_config
  copy: src={{ item }} dest=/etc/ssh/sshd_config mode=0600
  with_first_found:
--- a/roles/base/tasks/sshcerts.yml
+++ b/roles/base/tasks/sshcerts.yml
@ -0,0 +1,114 @@
+- name: Determine SSH keys generated by this machine
+  find: paths=/etc/ssh
+        file_type=file
+      patterns="ssh_host_*_key"
+  register: ssh_key_files
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Determine SSH keys never signed
+  stat: path="{{item.path}}-cert.pub"
+  with_items: "{{ssh_key_files.files}}"
+  register: ssh_cert_files
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Set lists of certs to sign to empty
+  set_fact:
+    certs_to_sign: "[]"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Set list of certs to sign
+  set_fact:
+    certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]"
+  with_items: "{{ssh_cert_files.results}}"
+  when: "env == 'staging' and not item.stat.exists"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+# TODO: Get expired certificates, and add them to certs_to_sign
+
+- name: Create directory for storing pubkeys
+  command: "mktemp -d --suffix=sshkeysign"
+  delegate_to: "batcave01.phx2.fedoraproject.org"
+  run_once: true
+  register: pubkeydirout
+  when: "env == 'staging' and {{certs_to_sign}} != []"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- set_fact:
+    pubkeydir: "{{pubkeydirout.stdout}}"
+  when: "env == 'staging' and {{certs_to_sign}} != []"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Get public keys for certs to sign
+  fetch: src="{{item}}.pub"
+         dest="{{pubkeydir}}"
+         fail_on_missing=true
+  with_items: "{{certs_to_sign}}"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Set some extra signing facts
+  set_fact:
+    sign_hostnames: "{{inventory_hostname}}"
+    sign_validity: "-1h:+2w"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+# Currently, we use the epoch as serial. That's unique enough for now
+- name: Sign the certificates
+  command: "ssh-keygen -s {{private}}/files/ssh/staging_ca_host_key -I {{inventory_hostname}} -h -n {{ sign_hostnames }} -V {{sign_validity}} -z {{ansible_date_time.epoch}} {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub"
+  delegate_to: "batcave01.phx2.fedoraproject.org"
+  with_items: "{{certs_to_sign}}"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Copy the certificates
+  copy: src="{{pubkeydir}}/{{inventory_hostname}}{{item}}-cert.pub"
+        dest="{{item}}-cert.pub"
+  with_items: "{{certs_to_sign}}"
+  when: "env == 'staging'"
+  notify:
+  - restart sshd
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base