feat: manage ssh certificates #252
Conversation
Certificates
tasks/certificates.yml
Outdated
| - name: Copy Trusted user CA Keys | ||
| ansible.builtin.template: | ||
| src: "trusted-user-ca-keys.pem.j2" | ||
| dest: "{{ sshd['TrustedUserCAKeys'] }}" | ||
| mode: '0600' |
There was a problem hiding this comment.
I find it confusing that you are making a file with .pem extension which lists SSH keys in non-PEM format.
There was a problem hiding this comment.
I used the extension given as an example in the HashiCorp tutorial. In any case, the extension doesn't matter. Do you know a format that would be suitable without being confusing?
There was a problem hiding this comment.
Generally the SSH public keys have the .pub extension so I would probably go with that one.
defaults/main.yml
Outdated
| # If not null, list of trusted CA keys | ||
| sshd_trusted_user_ca_keys_list: [] |
There was a problem hiding this comment.
comment does not math the default value here. Probably mention empty instead of null in the comment?
EmyLIEUTAUD
changed the title
tasks/certificates.yml
Outdated
| src: "auth_principals.j2" | ||
| dest: "{{ sshd['AuthorizedPrincipalsFile'] | dirname }}/{{ item.key }}" | ||
| mode: '0644' | ||
| loop: "{{ q('dict', sshd_principals) }}" |
There was a problem hiding this comment.
| loop: "{{ q('dict', sshd_principals) }}" | |
| loop: "{{ ('dict', sshd_principals) }}" |
Is it a typo?
There was a problem hiding this comment.
This was an old syntax we used, but it's no longer documented. I've modified it to make the code easier to understand.
tests/tests_set_common.yml
Outdated
|
|
||
| - name: Check AuthorizedPrincipalsFile exists | ||
| ansible.builtin.assert: | ||
| that: |
There was a problem hiding this comment.
| that: | |
| that: authorizedprincipalsfile_stat.stat.exists |
tests/tests_set_common.yml
Outdated
| - name: Check AuthorizedPrincipalsFile exists | ||
| ansible.builtin.assert: | ||
| that: | ||
| - authorizedprincipalsfile_stat.stat.exists |
There was a problem hiding this comment.
| - authorizedprincipalsfile_stat.stat.exists |
tests/tests_set_common.yml
Outdated
|
|
||
| - name: Check TrustedUserCAKeys file exists | ||
| ansible.builtin.assert: | ||
| that: |
There was a problem hiding this comment.
| that: | |
| that: trustedusercakeys_file_stat.stat.exists |
tests/tests_set_common.yml
Outdated
| - name: Check TrustedUserCAKeys file exists | ||
| ansible.builtin.assert: | ||
| that: | ||
| - trustedusercakeys_file_stat.stat.exists |
There was a problem hiding this comment.
| - trustedusercakeys_file_stat.stat.exists |
|
lgtm |
build(deps): bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> spelling correction use random ssh key fix ansible lint fix test syntax update dictionary loop syntax update README and add variables to configure directories and files
.pre-commit-config.yaml
Outdated
| @@ -8,7 +8,7 @@ repos: | |||
| types: [file, yaml] | |||
| entry: yamllint --strict | |||
| - repo: https://github.com/ansible/ansible-lint.git | |||
| rev: v6.5.2 | |||
| rev: v6.17.2 | |||
There was a problem hiding this comment.
please, keep the dependencies changes in at least separate commit (ideally separate PR).
There was a problem hiding this comment.
Version restored here: 610a356.
add teststo certificates and restore ansible-lint version fix tests for certificates build(deps): bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
fix README change trusted user ca keys directory default mode
|
Thanks for all the work on this @EmyLIEUTAUD I'll get a new release out that includes this code in the few days. |
Enhancement:
Reason:
This allows you to configure and manage the SSH server to authenticate via certificates.
Improves SSH authentication security: certificates have a validity period, unlike SSH keys.
More information on SSH certificates is available here: Managing SSH Access at Scale with HashiCorp Vault.
Result:
All tests passed.
The related documentation is available and an example can be found in
examples/example-use-certificates.yml.Issue Tracker Tickets (Jira or BZ if any): -