use ssh-ca from the Shared Core Linux Secret Store

This commit is contained in:
2022-05-25 10:36:20 +02:00
parent 4cb3ceb286
commit 51f18a0351
+26 -4
View File
@@ -58,11 +58,33 @@ Access to the redhat.com knowledge base:
# SSH Certificates / Signing Public User Keys
Use the ca certificate that is on the "Kai special USB stick" (the certificate permissions needs to be 600 !)
The signing is done like this:
Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell
```bash
ssh-keygen -s user-ca -I <username> -n <username> -V +55w id_ed25519.pub
function sign-user-ssh-key {
(
name="$1"
pubkey="$2"
# let the private key flow through a named pipe
# so it never ends up on the file system
umask 077
pipe="$(mktemp --dry-run)"
echo "mkfifo '$pipe'"
mkfifo "$pipe" || return 1
[ -p "$pipe" ] || return 1
echo "pass ssh-ca/user-ca > '$pipe' &"
pass ssh-ca/user-ca > "$pipe" &
echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
echo "rm '$pipe'"
rm "$pipe"
)
}
```
and run it with the user name as principal and the public key file
```
sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE
```
More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/