mhzawadi · July 24, 2020 12:17
diff --git a/init_aws_ssh_host.sh b/init_aws_ssh_host.sh
 #!/bin/bash
 #
 # This script will get an SSH host certificate from our CA and add a weekly
 # cron job to rotate the host certificate.
 CA_URL="[YOUR CA URL]"

 # Obtain your CA fingerprint by running this on your CA:
 #   # step certificate fingerprint $(step path)/certs/root_ca.crt
 CA_FINGERPRINT="[YOUR CA FINGERPRINT]"

 # Your SSH user key is located on the CA.
 #   # cat $(step path)/certs/ssh_user_ca_key.pub
 CA_SSH_USER_KEY="[YOUR SSH USER CA KEY]"

 STEPCLI_VERSION="0.14.0-rc.3"

 curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
 dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb

 # Configure `step` to connect to & trust our `step-ca`.
 # Pull down the CA's root certificate so we can talk to it later with TLS
 step ca bootstrap --ca-url $CA_URL \
                  --fingerprint $CA_FINGERPRINT

 # Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
 echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub

 # Get an SSH host certificate
 export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
 export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")

 # In case you're curious, here's what an AWS IID token looks like:
 #
 # $ echo $TOKEN | step crypto jwt inspect --insecure
 # {
 #   "header": {
 #     "alg": "HS256",
 #     "typ": "JWT"
 #   },
 #   "payload": {
 #     "amazon": {
 #       "document": "ewogICJhY2NvdW50SWQiIDogIjgwNzQ5MjQ3MzI2MyIsCiAgImFyY2hpdGVjdHVyZSIgOiAieDg2XzY0IiwKICAiYXZhaWxhYmlsaXR5Wm9uZSIgOiAidXMtZWFzdC0yYiIsCiAgImJpbGxpbmdQcm9kdWN0cyIgOiBudWxsLAogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAibWFya2V0cGxhY2VQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAiaW1hZ2VJZCIgOiAiYW1pLTBmYzIwZGQxZGE0MDY3ODBiIiwKICAiaW5zdGFuY2VJZCIgOiAiaS0wNTIzMzE5MWE4ZTU3NzNkMSIsCiAgImluc3RhbmNlVHlwZSIgOiAidDIubWljcm8iLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJwZW5kaW5nVGltZSIgOiAiMjAyMC0wMy0wNVQwMToxNDoyOVoiLAogICJwcml2YXRlSXAiIDogIjE3Mi4zMS4yNy4xMjIiLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTIiLAogICJ2ZXJzaW9uIiA6ICIyMDE3LTA5LTMwIgp9",
 #       "signature": "Vjet79r5ntppNjaFf9d2PeI8eXMA2z5+rSqu4vGIrJpzXZvpsjh5McwaY3Z6vuugV3pbdgxih7HWOQWlSoKSJeGF4Mc+pyYmKMfjTvtiyhAhqoevbHA2Od2osI4aKi/hiPAXLCagWuOVjuKdYvDm2MbMKUHsMCAgvPN9HtItepk="
 #     },
 #     "aud": [
 #       "https://ec2-3-15-28-130.us-east-2.compute.amazonaws.com/1.0/sign#aws/Amazon%20Web%20Services"
 #     ],
 #     "exp": 1583371845,
 #     "iat": 1583371545,
 #     "iss": "ec2.amazonaws.com",
 #     "jti": "51c62506731a9cbb9262b3ce1950fd0d70bc9155f29985e5f5470f27176114a3",
 #     "nbf": 1583371545,
 #     "sans": null,
 #     "sub": "ec2-18-216-218-33.us-east-2.compute.amazonaws.com"
 #   },
 #   "signature": "owEOB4AXVUuzLwbQ4N72rM1A60hAVWrYS7UhrZWImfg"
 # }

 # Ask the CA to exchange our instance token for an SSH host certificate
 step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
       --host --sign --provisioner "Amazon Web Services" \
       --token $TOKEN

 # Configure and restart `sshd`
 tee -a /etc/ssh/sshd_config > /dev/null <<EOF
 # SSH CA Configuration

 # This is the CA's public key, for authenticatin user certificates:
 TrustedUserCAKeys $(step path)/certs/ssh_user_key.pub

 # This is our host private key and certificate:
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
 EOF

 service ssh restart

 # Now add a weekly cron script to rotate our host certificate.
 cat <<EOF > /etc/cron.weekly/rotate-ssh-certificate
 #!/bin/sh

 export STEPPATH=/root/.step

 cd /etc/ssh && step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key --force 2> /dev/null

 exit 0
 EOF

 chmod 755 /etc/cron.weekly/rotate-ssh-certificate
	#!/bin/bash
	#
	# This script will get an SSH host certificate from our CA and add a weekly
	# cron job to rotate the host certificate.
	CA_URL="[YOUR CA URL]"

	# Obtain your CA fingerprint by running this on your CA:
	# # step certificate fingerprint $(step path)/certs/root_ca.crt
	CA_FINGERPRINT="[YOUR CA FINGERPRINT]"

	# Your SSH user key is located on the CA.
	# # cat $(step path)/certs/ssh_user_ca_key.pub
	CA_SSH_USER_KEY="[YOUR SSH USER CA KEY]"

	STEPCLI_VERSION="0.14.0-rc.3"

	curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
	dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb

	# Configure `step` to connect to & trust our `step-ca`.
	# Pull down the CA's root certificate so we can talk to it later with TLS
	step ca bootstrap --ca-url $CA_URL \
	--fingerprint $CA_FINGERPRINT

	# Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
	echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub

	# Get an SSH host certificate
	export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
	export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")

	# In case you're curious, here's what an AWS IID token looks like:
	#
	# $ echo $TOKEN \| step crypto jwt inspect --insecure
	# {
	# "header": {
	# "alg": "HS256",
	# "typ": "JWT"
	# },
	# "payload": {
	# "amazon": {
	# "document": "ewogICJhY2NvdW50SWQiIDogIjgwNzQ5MjQ3MzI2MyIsCiAgImFyY2hpdGVjdHVyZSIgOiAieDg2XzY0IiwKICAiYXZhaWxhYmlsaXR5Wm9uZSIgOiAidXMtZWFzdC0yYiIsCiAgImJpbGxpbmdQcm9kdWN0cyIgOiBudWxsLAogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAibWFya2V0cGxhY2VQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAiaW1hZ2VJZCIgOiAiYW1pLTBmYzIwZGQxZGE0MDY3ODBiIiwKICAiaW5zdGFuY2VJZCIgOiAiaS0wNTIzMzE5MWE4ZTU3NzNkMSIsCiAgImluc3RhbmNlVHlwZSIgOiAidDIubWljcm8iLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJwZW5kaW5nVGltZSIgOiAiMjAyMC0wMy0wNVQwMToxNDoyOVoiLAogICJwcml2YXRlSXAiIDogIjE3Mi4zMS4yNy4xMjIiLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTIiLAogICJ2ZXJzaW9uIiA6ICIyMDE3LTA5LTMwIgp9",
	# "signature": "Vjet79r5ntppNjaFf9d2PeI8eXMA2z5+rSqu4vGIrJpzXZvpsjh5McwaY3Z6vuugV3pbdgxih7HWOQWlSoKSJeGF4Mc+pyYmKMfjTvtiyhAhqoevbHA2Od2osI4aKi/hiPAXLCagWuOVjuKdYvDm2MbMKUHsMCAgvPN9HtItepk="
	# },
	# "aud": [
	# "https://ec2-3-15-28-130.us-east-2.compute.amazonaws.com/1.0/sign#aws/Amazon%20Web%20Services"
	# ],
	# "exp": 1583371845,
	# "iat": 1583371545,
	# "iss": "ec2.amazonaws.com",
	# "jti": "51c62506731a9cbb9262b3ce1950fd0d70bc9155f29985e5f5470f27176114a3",
	# "nbf": 1583371545,
	# "sans": null,
	# "sub": "ec2-18-216-218-33.us-east-2.compute.amazonaws.com"
	# },
	# "signature": "owEOB4AXVUuzLwbQ4N72rM1A60hAVWrYS7UhrZWImfg"
	# }

	# Ask the CA to exchange our instance token for an SSH host certificate
	step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
	--host --sign --provisioner "Amazon Web Services" \
	--token $TOKEN

	# Configure and restart `sshd`
	tee -a /etc/ssh/sshd_config > /dev/null <<EOF
	# SSH CA Configuration

	# This is the CA's public key, for authenticatin user certificates:
	TrustedUserCAKeys $(step path)/certs/ssh_user_key.pub

	# This is our host private key and certificate:
	HostKey /etc/ssh/ssh_host_ecdsa_key
	HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
	EOF

	service ssh restart

	# Now add a weekly cron script to rotate our host certificate.
	cat <<EOF > /etc/cron.weekly/rotate-ssh-certificate
	#!/bin/sh

	export STEPPATH=/root/.step

	cd /etc/ssh && step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key --force 2> /dev/null

	exit 0
	EOF

	chmod 755 /etc/cron.weekly/rotate-ssh-certificate
No results found