forked from Controls/gitea-pages
use ssh-ca from the Shared Core Linux Secret Store
This commit is contained in:
@@ -58,11 +58,33 @@ Access to the redhat.com knowledge base:
|
||||
|
||||
# SSH Certificates / Signing Public User Keys
|
||||
|
||||
Use the ca certificate that is on the "Kai special USB stick" (the certificate permissions needs to be 600 !)
|
||||
|
||||
The signing is done like this:
|
||||
Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell
|
||||
```bash
|
||||
ssh-keygen -s user-ca -I <username> -n <username> -V +55w id_ed25519.pub
|
||||
function sign-user-ssh-key {
|
||||
(
|
||||
name="$1"
|
||||
pubkey="$2"
|
||||
|
||||
# let the private key flow through a named pipe
|
||||
# so it never ends up on the file system
|
||||
|
||||
umask 077
|
||||
pipe="$(mktemp --dry-run)"
|
||||
echo "mkfifo '$pipe'"
|
||||
mkfifo "$pipe" || return 1
|
||||
[ -p "$pipe" ] || return 1
|
||||
echo "pass ssh-ca/user-ca > '$pipe' &"
|
||||
pass ssh-ca/user-ca > "$pipe" &
|
||||
echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
|
||||
ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
|
||||
echo "rm '$pipe'"
|
||||
rm "$pipe"
|
||||
)
|
||||
}
|
||||
```
|
||||
and run it with the user name as principal and the public key file
|
||||
```
|
||||
sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE
|
||||
```
|
||||
|
||||
More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/
|
||||
|
||||
Reference in New Issue
Block a user