Skip to content

Instantly share code, notes, and snippets.

@mhzawadi

mhzawadi/init_ansible_ssh_host.sh

Forked from tashian/init_aws_ssh_host.sh
Last active July 24, 2020 12:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mhzawadi/4cea1d9b4314cc591ff2791f37217178 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mhzawadi/4cea1d9b4314cc591ff2791f37217178 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. mhzawadi revised this gist Jul 24, 2020. 1 changed file with 9 additions and 6 deletions.
    15 changes: 9 additions & 6 deletions init_ansible_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -13,24 +13,27 @@ CA_NAME="[A name for your CA]"
    # # step certificate fingerprint $(step path)/certs/root_ca.crt
    CA_FINGERPRINT="[Your CA"s Fingerprint]"
    STEPCLI_VERSION="0.14.3"
    STEPCLI_VERSION="0.14.6"
    curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
    dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb
    # curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
    # dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb
    # Configure `step` to connect to & trust our `step-ca`.
    # Pull down the CA's root certificate so we can talk to it later with TLS
    step ca bootstrap --ca-url $CA_URL \
    --fingerprint $CA_FINGERPRINT
    --fingerprint $CA_FINGERPRINT
    # Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
    step ssh config --roots > $(step path)/certs/ssh_user_key.pub
    # Ask the CA to exchange our host key for an SSH host certificate
    TOKEN=$(step ca token vps432732 -host -ssh -provisioner=logs@horwood.biz -password-file=key)
    step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
    --host --sign --provisioner "${CA_NAME}@${ALLOWED_DOMAIN}" \
    --principal $HOSTNAME --host-id machine
    --principal $HOSTNAME --principal "" \
    --token ${TOKEN}
    exit
    # Configure and restart `sshd`
    tee -a /etc/ssh/sshd_config > /dev/null <<EOF
    # SSH CA Configuration
    @@ -56,4 +59,4 @@ cd /etc/ssh && step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key --f
    exit 0
    EOF
    chmod 755 /etc/cron.weekly/rotate-ssh-certificate
    chmod 755 /etc/cron.weekly/rotate-ssh-certificate
  2. mhzawadi revised this gist Jul 22, 2020. 1 changed file with 5 additions and 21 deletions.
    26 changes: 5 additions & 21 deletions init_ansible_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -6,6 +6,8 @@
    # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions

    CA_URL="[Your CA's URL]"
    ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]"
    CA_NAME="[A name for your CA]"

    # Obtain your CA fingerprint by running this on your CA:
    # # step certificate fingerprint $(step path)/certs/root_ca.crt
    @@ -24,28 +26,10 @@ step ca bootstrap --ca-url $CA_URL \
    # Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
    step ssh config --roots > $(step path)/certs/ssh_user_key.pub
    # Get an SSH host certificate
    HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
    LOCAL_HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/local-hostname)"
    # This helps us avoid a potential race condition / clock skew issue
    # "x509: certificate has expired or is not yet valid: current time 2020-04-01T17:52:51Z is before 2020-04-01T17:52:52Z"
    sleep 1
    # The TOKEN is a JWT with the instance identity document and signature embedded in it.
    TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")
    # To inspect $TOKEN, run
    # $ echo $TOKEN | step crypto jwt inspect --insecure
    #
    # To inspect the Instance Identity Document embedded in the token, run
    # $ echo $TOKEN | step crypto jwt inspect --insecure | jq -r ".payload.amazon.document" | base64 -d
    # Ask the CA to exchange our instance token for an SSH host certificate
    # Ask the CA to exchange our host key for an SSH host certificate
    step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
    --host --sign --provisioner "Amazon Web Services" \
    --principal $HOSTNAME --principal $LOCAL_HOSTNAME \
    --token $TOKEN
    --host --sign --provisioner "${CA_NAME}@${ALLOWED_DOMAIN}" \
    --principal $HOSTNAME --host-id machine
    # Configure and restart `sshd`
    tee -a /etc/ssh/sshd_config > /dev/null <<EOF
  3. mhzawadi renamed this gist Jul 8, 2020. 1 changed file with 0 additions and 0 deletions.
    0 init_aws_ssh_host.sh → init_ansible_ssh_host.sh
    View file
    File renamed without changes.
  4. @tashian tashian revised this gist Jun 8, 2020. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -2,6 +2,9 @@
    #
    # This script will get an SSH host certificate from our CA and add a weekly
    # cron job to rotate the host certificate.
    #
    # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions

    CA_URL="[Your CA's URL]"

    # Obtain your CA fingerprint by running this on your CA:
  5. @tashian tashian revised this gist May 5, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -8,7 +8,7 @@ CA_URL="[Your CA's URL]"
    # # step certificate fingerprint $(step path)/certs/root_ca.crt
    CA_FINGERPRINT="[Your CA"s Fingerprint]"
    STEPCLI_VERSION="0.14.2"
    STEPCLI_VERSION="0.14.3"
    curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
    dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb
  6. @tashian tashian revised this gist Apr 13, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -8,7 +8,7 @@ CA_URL="[Your CA's URL]"
    # # step certificate fingerprint $(step path)/certs/root_ca.crt
    CA_FINGERPRINT="[Your CA"s Fingerprint]"
    STEPCLI_VERSION="0.14.0-rc.4"
    STEPCLI_VERSION="0.14.2"
    curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
    dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb
  7. @tashian tashian revised this gist Apr 6, 2020. 1 changed file with 7 additions and 9 deletions.
    16 changes: 7 additions & 9 deletions init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -2,15 +2,11 @@
    #
    # This script will get an SSH host certificate from our CA and add a weekly
    # cron job to rotate the host certificate.
    CA_URL="[YOUR CA URL]"
    CA_URL="[Your CA's URL]"

    # Obtain your CA fingerprint by running this on your CA:
    # # step certificate fingerprint $(step path)/certs/root_ca.crt
    CA_FINGERPRINT="[YOUR CA FINGERPRINT]"

    # Your SSH user key is located on the CA.
    # # cat $(step path)/certs/ssh_user_ca_key.pub
    CA_SSH_USER_KEY="[YOUR SSH USER CA KEY]"
    CA_FINGERPRINT="[Your CA"s Fingerprint]"
    STEPCLI_VERSION="0.14.0-rc.4"
    @@ -23,10 +19,11 @@ step ca bootstrap --ca-url $CA_URL \
    --fingerprint $CA_FINGERPRINT
    # Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
    echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub
    step ssh config --roots > $(step path)/certs/ssh_user_key.pub
    # Get an SSH host certificate
    HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
    LOCAL_HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/local-hostname)"
    # This helps us avoid a potential race condition / clock skew issue
    # "x509: certificate has expired or is not yet valid: current time 2020-04-01T17:52:51Z is before 2020-04-01T17:52:52Z"
    @@ -43,8 +40,9 @@ TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services"
    # Ask the CA to exchange our instance token for an SSH host certificate
    step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
    --host --sign --provisioner "Amazon Web Services" \
    --token $TOKEN
    --host --sign --provisioner "Amazon Web Services" \
    --principal $HOSTNAME --principal $LOCAL_HOSTNAME \
    --token $TOKEN
    # Configure and restart `sshd`
    tee -a /etc/ssh/sshd_config > /dev/null <<EOF
  8. @tashian tashian revised this gist Apr 1, 2020. 1 changed file with 4 additions and 0 deletions.
    4 changes: 4 additions & 0 deletions init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -28,6 +28,10 @@ echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub
    # Get an SSH host certificate
    HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"

    # This helps us avoid a potential race condition / clock skew issue
    # "x509: certificate has expired or is not yet valid: current time 2020-04-01T17:52:51Z is before 2020-04-01T17:52:52Z"
    sleep 1

    # The TOKEN is a JWT with the instance identity document and signature embedded in it.
    TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")

  9. @tashian tashian revised this gist Mar 26, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -12,7 +12,7 @@ CA_FINGERPRINT="[YOUR CA FINGERPRINT]"
    # # cat $(step path)/certs/ssh_user_ca_key.pub
    CA_SSH_USER_KEY="[YOUR SSH USER CA KEY]"

    STEPCLI_VERSION="0.14.0-rc.3"
    STEPCLI_VERSION="0.14.0-rc.4"

    curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
    dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb
  10. @tashian tashian revised this gist Mar 26, 2020. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -26,10 +26,10 @@ step ca bootstrap --ca-url $CA_URL \
    echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub

    # Get an SSH host certificate
    export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
    HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"

    # The TOKEN is a JWT with the instance identity document and signature embedded in it.
    export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")
    TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")

    # To inspect $TOKEN, run
    # $ echo $TOKEN | step crypto jwt inspect --insecure
  11. @tashian tashian revised this gist Mar 25, 2020. 1 changed file with 9 additions and 0 deletions.
    9 changes: 9 additions & 0 deletions init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -27,7 +27,16 @@ echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub

    # Get an SSH host certificate
    export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"

    # The TOKEN is a JWT with the instance identity document and signature embedded in it.
    export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")

    # To inspect $TOKEN, run
    # $ echo $TOKEN | step crypto jwt inspect --insecure
    #
    # To inspect the Instance Identity Document embedded in the token, run
    # $ echo $TOKEN | step crypto jwt inspect --insecure | jq -r ".payload.amazon.document" | base64 -d

    # Ask the CA to exchange our instance token for an SSH host certificate
    step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
    --host --sign --provisioner "Amazon Web Services" \
  12. @tashian tashian revised this gist Mar 25, 2020. 1 changed file with 0 additions and 28 deletions.
    28 changes: 0 additions & 28 deletions init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -28,34 +28,6 @@ echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub
    # Get an SSH host certificate
    export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
    export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")

    # In case you're curious, here's what an AWS IID token looks like:
    #
    # $ echo $TOKEN | step crypto jwt inspect --insecure
    # {
    # "header": {
    # "alg": "HS256",
    # "typ": "JWT"
    # },
    # "payload": {
    # "amazon": {
    # "document": "ewogICJhY2NvdW50SWQiIDogIjgwNzQ5MjQ3MzI2MyIsCiAgImFyY2hpdGVjdHVyZSIgOiAieDg2XzY0IiwKICAiYXZhaWxhYmlsaXR5Wm9uZSIgOiAidXMtZWFzdC0yYiIsCiAgImJpbGxpbmdQcm9kdWN0cyIgOiBudWxsLAogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAibWFya2V0cGxhY2VQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAiaW1hZ2VJZCIgOiAiYW1pLTBmYzIwZGQxZGE0MDY3ODBiIiwKICAiaW5zdGFuY2VJZCIgOiAiaS0wNTIzMzE5MWE4ZTU3NzNkMSIsCiAgImluc3RhbmNlVHlwZSIgOiAidDIubWljcm8iLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJwZW5kaW5nVGltZSIgOiAiMjAyMC0wMy0wNVQwMToxNDoyOVoiLAogICJwcml2YXRlSXAiIDogIjE3Mi4zMS4yNy4xMjIiLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTIiLAogICJ2ZXJzaW9uIiA6ICIyMDE3LTA5LTMwIgp9",
    # "signature": "Vjet79r5ntppNjaFf9d2PeI8eXMA2z5+rSqu4vGIrJpzXZvpsjh5McwaY3Z6vuugV3pbdgxih7HWOQWlSoKSJeGF4Mc+pyYmKMfjTvtiyhAhqoevbHA2Od2osI4aKi/hiPAXLCagWuOVjuKdYvDm2MbMKUHsMCAgvPN9HtItepk="
    # },
    # "aud": [
    # "https://ec2-3-15-28-130.us-east-2.compute.amazonaws.com/1.0/sign#aws/Amazon%20Web%20Services"
    # ],
    # "exp": 1583371845,
    # "iat": 1583371545,
    # "iss": "ec2.amazonaws.com",
    # "jti": "51c62506731a9cbb9262b3ce1950fd0d70bc9155f29985e5f5470f27176114a3",
    # "nbf": 1583371545,
    # "sans": null,
    # "sub": "ec2-18-216-218-33.us-east-2.compute.amazonaws.com"
    # },
    # "signature": "owEOB4AXVUuzLwbQ4N72rM1A60hAVWrYS7UhrZWImfg"
    # }

    # Ask the CA to exchange our instance token for an SSH host certificate
    step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
    --host --sign --provisioner "Amazon Web Services" \
  13. @tashian tashian created this gist Mar 25, 2020.
    89 changes: 89 additions & 0 deletions init_aws_ssh_host.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,89 @@
    #!/bin/bash
    #
    # This script will get an SSH host certificate from our CA and add a weekly
    # cron job to rotate the host certificate.
    CA_URL="[YOUR CA URL]"

    # Obtain your CA fingerprint by running this on your CA:
    # # step certificate fingerprint $(step path)/certs/root_ca.crt
    CA_FINGERPRINT="[YOUR CA FINGERPRINT]"

    # Your SSH user key is located on the CA.
    # # cat $(step path)/certs/ssh_user_ca_key.pub
    CA_SSH_USER_KEY="[YOUR SSH USER CA KEY]"

    STEPCLI_VERSION="0.14.0-rc.3"

    curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
    dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb

    # Configure `step` to connect to & trust our `step-ca`.
    # Pull down the CA's root certificate so we can talk to it later with TLS
    step ca bootstrap --ca-url $CA_URL \
    --fingerprint $CA_FINGERPRINT

    # Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
    echo $CA_SSH_USER_KEY > $(step path)/certs/ssh_user_key.pub

    # Get an SSH host certificate
    export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
    export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "Amazon Web Services")

    # In case you're curious, here's what an AWS IID token looks like:
    #
    # $ echo $TOKEN | step crypto jwt inspect --insecure
    # {
    # "header": {
    # "alg": "HS256",
    # "typ": "JWT"
    # },
    # "payload": {
    # "amazon": {
    # "document": "ewogICJhY2NvdW50SWQiIDogIjgwNzQ5MjQ3MzI2MyIsCiAgImFyY2hpdGVjdHVyZSIgOiAieDg2XzY0IiwKICAiYXZhaWxhYmlsaXR5Wm9uZSIgOiAidXMtZWFzdC0yYiIsCiAgImJpbGxpbmdQcm9kdWN0cyIgOiBudWxsLAogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAibWFya2V0cGxhY2VQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAiaW1hZ2VJZCIgOiAiYW1pLTBmYzIwZGQxZGE0MDY3ODBiIiwKICAiaW5zdGFuY2VJZCIgOiAiaS0wNTIzMzE5MWE4ZTU3NzNkMSIsCiAgImluc3RhbmNlVHlwZSIgOiAidDIubWljcm8iLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJwZW5kaW5nVGltZSIgOiAiMjAyMC0wMy0wNVQwMToxNDoyOVoiLAogICJwcml2YXRlSXAiIDogIjE3Mi4zMS4yNy4xMjIiLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTIiLAogICJ2ZXJzaW9uIiA6ICIyMDE3LTA5LTMwIgp9",
    # "signature": "Vjet79r5ntppNjaFf9d2PeI8eXMA2z5+rSqu4vGIrJpzXZvpsjh5McwaY3Z6vuugV3pbdgxih7HWOQWlSoKSJeGF4Mc+pyYmKMfjTvtiyhAhqoevbHA2Od2osI4aKi/hiPAXLCagWuOVjuKdYvDm2MbMKUHsMCAgvPN9HtItepk="
    # },
    # "aud": [
    # "https://ec2-3-15-28-130.us-east-2.compute.amazonaws.com/1.0/sign#aws/Amazon%20Web%20Services"
    # ],
    # "exp": 1583371845,
    # "iat": 1583371545,
    # "iss": "ec2.amazonaws.com",
    # "jti": "51c62506731a9cbb9262b3ce1950fd0d70bc9155f29985e5f5470f27176114a3",
    # "nbf": 1583371545,
    # "sans": null,
    # "sub": "ec2-18-216-218-33.us-east-2.compute.amazonaws.com"
    # },
    # "signature": "owEOB4AXVUuzLwbQ4N72rM1A60hAVWrYS7UhrZWImfg"
    # }

    # Ask the CA to exchange our instance token for an SSH host certificate
    step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
    --host --sign --provisioner "Amazon Web Services" \
    --token $TOKEN

    # Configure and restart `sshd`
    tee -a /etc/ssh/sshd_config > /dev/null <<EOF
    # SSH CA Configuration
    # This is the CA's public key, for authenticatin user certificates:
    TrustedUserCAKeys $(step path)/certs/ssh_user_key.pub
    # This is our host private key and certificate:
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
    EOF

    service ssh restart

    # Now add a weekly cron script to rotate our host certificate.
    cat <<EOF > /etc/cron.weekly/rotate-ssh-certificate
    #!/bin/sh
    export STEPPATH=/root/.step
    cd /etc/ssh && step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key --force 2> /dev/null
    exit 0
    EOF

    chmod 755 /etc/cron.weekly/rotate-ssh-certificate