From 51f18a0351340d8a6b40f942eda4129f2e956a52 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Wed, 25 May 2022 10:36:20 +0200 Subject: [PATCH] use ssh-ca from the Shared Core Linux Secret Store --- infrastructure-guide/home.md | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/infrastructure-guide/home.md b/infrastructure-guide/home.md index cf415451..4985bc9a 100644 --- a/infrastructure-guide/home.md +++ b/infrastructure-guide/home.md @@ -58,11 +58,33 @@ Access to the redhat.com knowledge base: # SSH Certificates / Signing Public User Keys -Use the ca certificate that is on the "Kai special USB stick" (the certificate permissions needs to be 600 !) - -The signing is done like this: +Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell ```bash -ssh-keygen -s user-ca -I -n -V +55w id_ed25519.pub +function sign-user-ssh-key { + ( + name="$1" + pubkey="$2" + + # let the private key flow through a named pipe + # so it never ends up on the file system + + umask 077 + pipe="$(mktemp --dry-run)" + echo "mkfifo '$pipe'" + mkfifo "$pipe" || return 1 + [ -p "$pipe" ] || return 1 + echo "pass ssh-ca/user-ca > '$pipe' &" + pass ssh-ca/user-ca > "$pipe" & + echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'" + ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey" + echo "rm '$pipe'" + rm "$pipe" + ) +} +``` +and run it with the user name as principal and the public key file +``` +sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE ``` More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/