diff --git a/infrastructure-guide/home.md b/infrastructure-guide/home.md index cf415451..4985bc9a 100644 --- a/infrastructure-guide/home.md +++ b/infrastructure-guide/home.md @@ -58,11 +58,33 @@ Access to the redhat.com knowledge base: # SSH Certificates / Signing Public User Keys -Use the ca certificate that is on the "Kai special USB stick" (the certificate permissions needs to be 600 !) - -The signing is done like this: +Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell ```bash -ssh-keygen -s user-ca -I -n -V +55w id_ed25519.pub +function sign-user-ssh-key { + ( + name="$1" + pubkey="$2" + + # let the private key flow through a named pipe + # so it never ends up on the file system + + umask 077 + pipe="$(mktemp --dry-run)" + echo "mkfifo '$pipe'" + mkfifo "$pipe" || return 1 + [ -p "$pipe" ] || return 1 + echo "pass ssh-ca/user-ca > '$pipe' &" + pass ssh-ca/user-ca > "$pipe" & + echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'" + ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey" + echo "rm '$pipe'" + rm "$pipe" + ) +} +``` +and run it with the user name as principal and the public key file +``` +sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE ``` More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/