-
-
Save mhzawadi/3d0759bfb69eff93c4f9f04b10c66658 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # This script will launch and configure a step-ca SSH Certificate Authority | |
| # with OIDC and AWS provisioners | |
| # | |
| # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions | |
| OIDC_CLIENT_ID="[OAuth client ID]" # from Google | |
| OIDC_CLIENT_SECRET="[OAuth client secret]" # from Google | |
| ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]" | |
| CA_NAME="[A name for your CA]" | |
| ROOT_KEY_PASSWORD="[A password for your CA's root key]" | |
| EMAIL="[email protected]" | |
| STEPCLI_VERSION="0.18.0" | |
| # Setup the JWK | |
| mkdir ~/step-ca | |
| touch ~/step-ca/key | |
| echo $ROOT_KEY_PASSWORD > ~/step-ca/key | |
| step crypto jwk create ~/step-ca/jwk.pub.json ~/step-ca/jwk.json –password-file=~/step-ca/key | |
| OPENID_CONFIG_ENDPOINT="https://accounts.google.com/.well-known/openid-configuration" | |
| curl -sLO https://github.com/smallstep/certificates/releases/download/v${STEPCLI_VERSION}/step-certificates_${STEPCLI_VERSION}_amd64.deb | |
| dpkg -i step-certificates_${STEPCLI_VERSION}_amd64.deb | |
| curl -sLO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb | |
| dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb | |
| # All your CA config and certificates will go into $STEPPATH. | |
| export STEPPATH=/etc/step-ca | |
| mkdir -p $STEPPATH | |
| chmod 700 $STEPPATH | |
| echo $ROOT_KEY_PASSWORD > $STEPPATH/password.txt | |
| # Add a service to systemd for our CA. | |
| cat<<EOF > /etc/systemd/system/step-ca.service | |
| [Unit] | |
| Description=step-ca service | |
| After=network.target | |
| StartLimitIntervalSec=0 | |
| [Service] | |
| Type=simple | |
| Restart=always | |
| RestartSec=1 | |
| User=root | |
| Environment=STEPPATH=/etc/step-ca | |
| ExecStart=/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| # Set up our basic CA configuration and generate root keys | |
| step ca init --ssh --name="$CA_NAME" \ | |
| --dns="$LOCAL_IP,$LOCAL_HOSTNAME,$PUBLIC_IP,$PUBLIC_HOSTNAME" \ | |
| --address=":443" --provisioner="$EMAIL" \ | |
| --password-file="$STEPPATH/password.txt" | |
| # Add the Google OAuth provisioner, for user certificates | |
| step ca provisioner add Google --type=oidc --ssh \ | |
| --client-id="$OIDC_CLIENT_ID" \ | |
| --client-secret="$OIDC_CLIENT_SECRET" \ | |
| --configuration-endpoint="$OPENID_CONFIG_ENDPOINT" \ | |
| --domain="$ALLOWED_DOMAIN" | |
| # Add a JWK provisioner, for host bootstrapping | |
| step ca provisioner add [email protected] ~/step-ca/jwk.json \ | |
| --ca-config /etc/step-ca/config/ca.json --ssh –password-file=~/step-ca/key | |
| # The sshpop provisioner lets hosts renew their ssh certificates | |
| step ca provisioner add SSHPOP --type=sshpop --ssh | |
| # Use Google (OIDC) as the default provisioner in the end user's | |
| # ssh configuration template. | |
| sed -i 's/\%p$/%p --provisioner="Google"/g' /etc/step-ca/templates/ssh/config.tpl | |
| service step-ca start | |
| echo "export STEPPATH=$STEPPATH" >> /root/.profile |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment