-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: manage ssh certificates #252
Conversation
Certificates
tasks/certificates.yml
Outdated
- name: Copy Trusted user CA Keys | ||
ansible.builtin.template: | ||
src: "trusted-user-ca-keys.pem.j2" | ||
dest: "{{ sshd['TrustedUserCAKeys'] }}" | ||
mode: '0600' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find it confusing that you are making a file with .pem
extension which lists SSH keys in non-PEM format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used the extension given as an example in the HashiCorp tutorial. In any case, the extension doesn't matter. Do you know a format that would be suitable without being confusing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally the SSH public keys have the .pub
extension so I would probably go with that one.
defaults/main.yml
Outdated
# If not null, list of trusted CA keys | ||
sshd_trusted_user_ca_keys_list: [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment does not math the default value here. Probably mention empty instead of null in the comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One spelling correction but otherwise lgtm
tasks/certificates.yml
Outdated
src: "auth_principals.j2" | ||
dest: "{{ sshd['AuthorizedPrincipalsFile'] | dirname }}/{{ item.key }}" | ||
mode: '0644' | ||
loop: "{{ q('dict', sshd_principals) }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
loop: "{{ q('dict', sshd_principals) }}" | |
loop: "{{ ('dict', sshd_principals) }}" |
Is it a typo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was an old syntax we used, but it's no longer documented. I've modified it to make the code easier to understand.
tests/tests_set_common.yml
Outdated
|
||
- name: Check AuthorizedPrincipalsFile exists | ||
ansible.builtin.assert: | ||
that: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that: | |
that: authorizedprincipalsfile_stat.stat.exists |
tests/tests_set_common.yml
Outdated
- name: Check AuthorizedPrincipalsFile exists | ||
ansible.builtin.assert: | ||
that: | ||
- authorizedprincipalsfile_stat.stat.exists |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- authorizedprincipalsfile_stat.stat.exists |
tests/tests_set_common.yml
Outdated
|
||
- name: Check TrustedUserCAKeys file exists | ||
ansible.builtin.assert: | ||
that: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that: | |
that: trustedusercakeys_file_stat.stat.exists |
tests/tests_set_common.yml
Outdated
- name: Check TrustedUserCAKeys file exists | ||
ansible.builtin.assert: | ||
that: | ||
- trustedusercakeys_file_stat.stat.exists |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- trustedusercakeys_file_stat.stat.exists |
lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hope last nits to the wording of README. Then I would love to have the fixup commits slightly squashed as the commit series is getting long ...
build(deps): bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> spelling correction use random ssh key fix ansible lint fix test syntax update dictionary loop syntax update README and add variables to configure directories and files
.pre-commit-config.yaml
Outdated
@@ -8,7 +8,7 @@ repos: | |||
types: [file, yaml] | |||
entry: yamllint --strict | |||
- repo: https://github.com/ansible/ansible-lint.git | |||
rev: v6.5.2 | |||
rev: v6.17.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please, keep the dependencies changes in at least separate commit (ideally separate PR).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Version restored here: 610a356.
add teststo certificates and restore ansible-lint version fix tests for certificates build(deps): bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor ordering in docs but looks good to me otherwise.
I don't understand why the checkout action is showing the version change - have you rebased from main recently? It might resolve that
fix README change trusted user ca keys directory default mode
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code wise it looks good. I would prefer the fixups commits squashed, but if others are ok with the commit series. I do not want to block the changes
Thanks for all the work on this @EmyLIEUTAUD I'll get a new release out that includes this code in the few days. |
Enhancement:
Reason:
This allows you to configure and manage the SSH server to authenticate via certificates.
Improves SSH authentication security: certificates have a validity period, unlike SSH keys.
More information on SSH certificates is available here: Managing SSH Access at Scale with HashiCorp Vault.
Result:
All tests passed.
The related documentation is available and an example can be found in
examples/example-use-certificates.yml
.Issue Tracker Tickets (Jira or BZ if any): -