#!/bin/bash # # This script will get an SSH host certificate from our CA and add a weekly # cron job to rotate the host certificate. CA_URL="[YOUR CA URL]" # Obtain your CA fingerprint by running this on your CA: # # step certificate fingerprint $(step path)/certs/root_ca.crt CA_FINGERPRINT="[YOUR CA FINGERPRINT]" # Your SSH user key is located on the CA. # # cat $(step path)/certs/ssh_user_ca_key.pub CA_SSH_USER_KEY="[YOUR SSH USER CA KEY]" STEPCLI_VERSION="0.14.0-rc.3" curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb # Configure `step` to connect to & trust our `step-ca`. # Pull down the CA's root certificate so we can talk to it later with TLS step ca bootstrap --ca-url $CA_URL \ --fingerprint $CA_FINGERPRINT # Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA). echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub # Get an SSH host certificate export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)" export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services") # Ask the CA to exchange our instance token for an SSH host certificate step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \ --host --sign --provisioner "Amazon Web Services" \ --token $TOKEN # Configure and restart `sshd` tee -a /etc/ssh/sshd_config > /dev/null < /etc/cron.weekly/rotate-ssh-certificate #!/bin/sh export STEPPATH=/root/.step cd /etc/ssh && step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key --force 2> /dev/null exit 0 EOF chmod 755 /etc/cron.weekly/rotate-ssh-certificate