mhzawadi · July 24, 2020 12:17
diff --git a/init_ansible_ssh_host.sh b/init_ansible_ssh_host.sh
 #!/bin/bash
 #
 # This script will get an SSH host certificate from our CA and add a weekly
 # cron job to rotate the host certificate.
 # 
 # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions

 CA_URL="[Your CA's URL]"
 ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]"
 CA_NAME="[A name for your CA]"

 # Obtain your CA fingerprint by running this on your CA:
 #   # step certificate fingerprint $(step path)/certs/root_ca.crt
 CA_FINGERPRINT="[Your CA"s Fingerprint]"

 STEPCLI_VERSION="0.14.6"

 # curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
 # dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb

 # Configure `step` to connect to & trust our `step-ca`.
 # Pull down the CA's root certificate so we can talk to it later with TLS
 step ca bootstrap --ca-url $CA_URL \
                 --fingerprint $CA_FINGERPRINT

 # Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
 step ssh config --roots > $(step path)/certs/ssh_user_key.pub

 # Ask the CA to exchange our host key for an SSH host certificate
 TOKEN=$(step ca token vps432732 -host -ssh [email protected] -password-file=key)
 step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
    --host --sign --provisioner "${CA_NAME}@${ALLOWED_DOMAIN}" \
    --principal $HOSTNAME --principal "" \
    --token ${TOKEN}

 exit
 # Configure and restart `sshd`
 tee -a /etc/ssh/sshd_config > /dev/null <<EOF
 # SSH CA Configuration

 # This is the CA's public key, for authenticatin user certificates:
 TrustedUserCAKeys $(step path)/certs/ssh_user_key.pub

 # This is our host private key and certificate:
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
 EOF

 service ssh restart

 # Now add a weekly cron script to rotate our host certificate.
 cat <<EOF > /etc/cron.weekly/rotate-ssh-certificate
 #!/bin/sh

 export STEPPATH=/root/.step

 cd /etc/ssh && step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key --force 2> /dev/null

 exit 0
 EOF

 chmod 755 /etc/cron.weekly/rotate-ssh-certificate
	#!/bin/bash
	#
	# This script will get an SSH host certificate from our CA and add a weekly
	# cron job to rotate the host certificate.
	#
	# See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions

	CA_URL="[Your CA's URL]"
	ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]"
	CA_NAME="[A name for your CA]"

	# Obtain your CA fingerprint by running this on your CA:
	# # step certificate fingerprint $(step path)/certs/root_ca.crt
	CA_FINGERPRINT="[Your CA"s Fingerprint]"

	STEPCLI_VERSION="0.14.6"

	# curl -LO https://github.com/smallstep/cli/releases/download/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
	# dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb

	# Configure `step` to connect to & trust our `step-ca`.
	# Pull down the CA's root certificate so we can talk to it later with TLS
	step ca bootstrap --ca-url $CA_URL \
	--fingerprint $CA_FINGERPRINT

	# Install the CA cert for validating user certificates (from /etc/step-ca/certs/ssh_user_key.pub` on the CA).
	step ssh config --roots > $(step path)/certs/ssh_user_key.pub

	# Ask the CA to exchange our host key for an SSH host certificate
	TOKEN=$(step ca token vps432732 -host -ssh [email protected] -password-file=key)
	step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub \
	--host --sign --provisioner "${CA_NAME}@${ALLOWED_DOMAIN}" \
	--principal $HOSTNAME --principal "" \
	--token ${TOKEN}

	exit
	# Configure and restart `sshd`
	tee -a /etc/ssh/sshd_config > /dev/null <<EOF
	# SSH CA Configuration

	# This is the CA's public key, for authenticatin user certificates:
	TrustedUserCAKeys $(step path)/certs/ssh_user_key.pub

	# This is our host private key and certificate:
	HostKey /etc/ssh/ssh_host_ecdsa_key
	HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
	EOF

	service ssh restart

	# Now add a weekly cron script to rotate our host certificate.
	cat <<EOF > /etc/cron.weekly/rotate-ssh-certificate
	#!/bin/sh

	export STEPPATH=/root/.step

	cd /etc/ssh && step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key --force 2> /dev/null

	exit 0
	EOF

	chmod 755 /etc/cron.weekly/rotate-ssh-certificate