├── .gitignore
├── LICENSE
├── README.md
├── ansible.cfg
├── files
├── ssh-ca
├── ssh-ca.motd
└── sudoers-sshca
├── install.yml
├── ssh-csr
├── templates
├── ssh-ca.conf.j2
└── sshd_config.j2
├── test.yml
├── users.yml
└── vars.template.yml
/.gitignore:
--------------------------------------------------------------------------------
1 | .ansible-vault-password.txt
2 | inventory
3 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU AFFERO GENERAL PUBLIC LICENSE
2 | Version 3, 19 November 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU Affero General Public License is a free, copyleft license for
11 | software and other kinds of works, specifically designed to ensure
12 | cooperation with the community in the case of network server software.
13 |
14 | The licenses for most software and other practical works are designed
15 | to take away your freedom to share and change the works. By contrast,
16 | our General Public Licenses are intended to guarantee your freedom to
17 | share and change all versions of a program--to make sure it remains free
18 | software for all its users.
19 |
20 | When we speak of free software, we are referring to freedom, not
21 | price. Our General Public Licenses are designed to make sure that you
22 | have the freedom to distribute copies of free software (and charge for
23 | them if you wish), that you receive source code or can get it if you
24 | want it, that you can change the software or use pieces of it in new
25 | free programs, and that you know you can do these things.
26 |
27 | Developers that use our General Public Licenses protect your rights
28 | with two steps: (1) assert copyright on the software, and (2) offer
29 | you this License which gives you legal permission to copy, distribute
30 | and/or modify the software.
31 |
32 | A secondary benefit of defending all users' freedom is that
33 | improvements made in alternate versions of the program, if they
34 | receive widespread use, become available for other developers to
35 | incorporate. Many developers of free software are heartened and
36 | encouraged by the resulting cooperation. However, in the case of
37 | software used on network servers, this result may fail to come about.
38 | The GNU General Public License permits making a modified version and
39 | letting the public access it on a server without ever releasing its
40 | source code to the public.
41 |
42 | The GNU Affero General Public License is designed specifically to
43 | ensure that, in such cases, the modified source code becomes available
44 | to the community. It requires the operator of a network server to
45 | provide the source code of the modified version running there to the
46 | users of that server. Therefore, public use of a modified version, on
47 | a publicly accessible server, gives the public access to the source
48 | code of the modified version.
49 |
50 | An older license, called the Affero General Public License and
51 | published by Affero, was designed to accomplish similar goals. This is
52 | a different license, not a version of the Affero GPL, but Affero has
53 | released a new version of the Affero GPL which permits relicensing under
54 | this license.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | TERMS AND CONDITIONS
60 |
61 | 0. Definitions.
62 |
63 | "This License" refers to version 3 of the GNU Affero General Public License.
64 |
65 | "Copyright" also means copyright-like laws that apply to other kinds of
66 | works, such as semiconductor masks.
67 |
68 | "The Program" refers to any copyrightable work licensed under this
69 | License. Each licensee is addressed as "you". "Licensees" and
70 | "recipients" may be individuals or organizations.
71 |
72 | To "modify" a work means to copy from or adapt all or part of the work
73 | in a fashion requiring copyright permission, other than the making of an
74 | exact copy. The resulting work is called a "modified version" of the
75 | earlier work or a work "based on" the earlier work.
76 |
77 | A "covered work" means either the unmodified Program or a work based
78 | on the Program.
79 |
80 | To "propagate" a work means to do anything with it that, without
81 | permission, would make you directly or secondarily liable for
82 | infringement under applicable copyright law, except executing it on a
83 | computer or modifying a private copy. Propagation includes copying,
84 | distribution (with or without modification), making available to the
85 | public, and in some countries other activities as well.
86 |
87 | To "convey" a work means any kind of propagation that enables other
88 | parties to make or receive copies. Mere interaction with a user through
89 | a computer network, with no transfer of a copy, is not conveying.
90 |
91 | An interactive user interface displays "Appropriate Legal Notices"
92 | to the extent that it includes a convenient and prominently visible
93 | feature that (1) displays an appropriate copyright notice, and (2)
94 | tells the user that there is no warranty for the work (except to the
95 | extent that warranties are provided), that licensees may convey the
96 | work under this License, and how to view a copy of this License. If
97 | the interface presents a list of user commands or options, such as a
98 | menu, a prominent item in the list meets this criterion.
99 |
100 | 1. Source Code.
101 |
102 | The "source code" for a work means the preferred form of the work
103 | for making modifications to it. "Object code" means any non-source
104 | form of a work.
105 |
106 | A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 |
111 | The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form. A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 |
122 | The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities. However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work. For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 |
135 | The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 |
139 | The Corresponding Source for a work in source code form is that
140 | same work.
141 |
142 | 2. Basic Permissions.
143 |
144 | All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met. This License explicitly affirms your unlimited
147 | permission to run the unmodified Program. The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work. This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 |
152 | You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force. You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright. Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 |
163 | Conveying under any other circumstances is permitted solely under
164 | the conditions stated below. Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 |
167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 |
169 | No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 |
175 | When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 |
183 | 4. Conveying Verbatim Copies.
184 |
185 | You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 |
193 | You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 |
196 | 5. Conveying Modified Source Versions.
197 |
198 | You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 |
202 | a) The work must carry prominent notices stating that you modified
203 | it, and giving a relevant date.
204 |
205 | b) The work must carry prominent notices stating that it is
206 | released under this License and any conditions added under section
207 | 7. This requirement modifies the requirement in section 4 to
208 | "keep intact all notices".
209 |
210 | c) You must license the entire work, as a whole, under this
211 | License to anyone who comes into possession of a copy. This
212 | License will therefore apply, along with any applicable section 7
213 | additional terms, to the whole of the work, and all its parts,
214 | regardless of how they are packaged. This License gives no
215 | permission to license the work in any other way, but it does not
216 | invalidate such permission if you have separately received it.
217 |
218 | d) If the work has interactive user interfaces, each must display
219 | Appropriate Legal Notices; however, if the Program has interactive
220 | interfaces that do not display Appropriate Legal Notices, your
221 | work need not make them do so.
222 |
223 | A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit. Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 |
233 | 6. Conveying Non-Source Forms.
234 |
235 | You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 |
240 | a) Convey the object code in, or embodied in, a physical product
241 | (including a physical distribution medium), accompanied by the
242 | Corresponding Source fixed on a durable physical medium
243 | customarily used for software interchange.
244 |
245 | b) Convey the object code in, or embodied in, a physical product
246 | (including a physical distribution medium), accompanied by a
247 | written offer, valid for at least three years and valid for as
248 | long as you offer spare parts or customer support for that product
249 | model, to give anyone who possesses the object code either (1) a
250 | copy of the Corresponding Source for all the software in the
251 | product that is covered by this License, on a durable physical
252 | medium customarily used for software interchange, for a price no
253 | more than your reasonable cost of physically performing this
254 | conveying of source, or (2) access to copy the
255 | Corresponding Source from a network server at no charge.
256 |
257 | c) Convey individual copies of the object code with a copy of the
258 | written offer to provide the Corresponding Source. This
259 | alternative is allowed only occasionally and noncommercially, and
260 | only if you received the object code with such an offer, in accord
261 | with subsection 6b.
262 |
263 | d) Convey the object code by offering access from a designated
264 | place (gratis or for a charge), and offer equivalent access to the
265 | Corresponding Source in the same way through the same place at no
266 | further charge. You need not require recipients to copy the
267 | Corresponding Source along with the object code. If the place to
268 | copy the object code is a network server, the Corresponding Source
269 | may be on a different server (operated by you or a third party)
270 | that supports equivalent copying facilities, provided you maintain
271 | clear directions next to the object code saying where to find the
272 | Corresponding Source. Regardless of what server hosts the
273 | Corresponding Source, you remain obligated to ensure that it is
274 | available for as long as needed to satisfy these requirements.
275 |
276 | e) Convey the object code using peer-to-peer transmission, provided
277 | you inform other peers where the object code and Corresponding
278 | Source of the work are being offered to the general public at no
279 | charge under subsection 6d.
280 |
281 | A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 |
285 | A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling. In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage. For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product. A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 |
298 | "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source. The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 |
306 | If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information. But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 |
317 | The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed. Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 |
325 | Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 |
331 | 7. Additional Terms.
332 |
333 | "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law. If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 |
342 | When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it. (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.) You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 |
349 | Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 |
353 | a) Disclaiming warranty or limiting liability differently from the
354 | terms of sections 15 and 16 of this License; or
355 |
356 | b) Requiring preservation of specified reasonable legal notices or
357 | author attributions in that material or in the Appropriate Legal
358 | Notices displayed by works containing it; or
359 |
360 | c) Prohibiting misrepresentation of the origin of that material, or
361 | requiring that modified versions of such material be marked in
362 | reasonable ways as different from the original version; or
363 |
364 | d) Limiting the use for publicity purposes of names of licensors or
365 | authors of the material; or
366 |
367 | e) Declining to grant rights under trademark law for use of some
368 | trade names, trademarks, or service marks; or
369 |
370 | f) Requiring indemnification of licensors and authors of that
371 | material by anyone who conveys the material (or modified versions of
372 | it) with contractual assumptions of liability to the recipient, for
373 | any liability that these contractual assumptions directly impose on
374 | those licensors and authors.
375 |
376 | All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10. If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term. If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 |
386 | If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 |
391 | Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 |
395 | 8. Termination.
396 |
397 | You may not propagate or modify a covered work except as expressly
398 | provided under this License. Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 |
403 | However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 |
410 | Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 |
417 | Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License. If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 |
423 | 9. Acceptance Not Required for Having Copies.
424 |
425 | You are not required to accept this License in order to receive or
426 | run a copy of the Program. Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance. However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work. These actions infringe copyright if you do
431 | not accept this License. Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 |
434 | 10. Automatic Licensing of Downstream Recipients.
435 |
436 | Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License. You are not responsible
439 | for enforcing compliance by third parties with this License.
440 |
441 | An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations. If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 |
451 | You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License. For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 |
459 | 11. Patents.
460 |
461 | A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based. The
463 | work thus licensed is called the contributor's "contributor version".
464 |
465 | A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version. For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 |
475 | Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 |
480 | In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement). To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 |
487 | If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients. "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 |
501 | If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 |
509 | A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License. You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 |
524 | Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 |
528 | 12. No Surrender of Others' Freedom.
529 |
530 | If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License. If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all. For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 |
540 | 13. Remote Network Interaction; Use with the GNU General Public License.
541 |
542 | Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software. This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 |
553 | Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work. The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 |
561 | 14. Revised Versions of this License.
562 |
563 | The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time. Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 |
568 | Each version is given a distinguishing version number. If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation. If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 |
577 | If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 |
582 | Later license versions may give you additional or different
583 | permissions. However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 |
587 | 15. Disclaimer of Warranty.
588 |
589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 |
598 | 16. Limitation of Liability.
599 |
600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 |
610 | 17. Interpretation of Sections 15 and 16.
611 |
612 | If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 |
619 | END OF TERMS AND CONDITIONS
620 |
621 | How to Apply These Terms to Your New Programs
622 |
623 | If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 |
627 | To do so, attach the following notices to the program. It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 |
632 |
633 | Copyright (C)
634 |
635 | This program is free software: you can redistribute it and/or modify
636 | it under the terms of the GNU Affero General Public License as published
637 | by the Free Software Foundation, either version 3 of the License, or
638 | (at your option) any later version.
639 |
640 | This program is distributed in the hope that it will be useful,
641 | but WITHOUT ANY WARRANTY; without even the implied warranty of
642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
643 | GNU Affero General Public License for more details.
644 |
645 | You should have received a copy of the GNU Affero General Public License
646 | along with this program. If not, see .
647 |
648 | Also add information on how to contact you by electronic and paper mail.
649 |
650 | If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source. For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code. There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 |
658 | You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | .
662 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Forced Command SSH CA
2 | =====================
3 |
4 | A self-serve automated SSH CA implemented as an SSH forced command.
5 |
6 | > Copyright © 2018 Alexandre de Verteuil
7 | >
8 | > This program is free software: you can redistribute it and/or modify
9 | > it under the terms of the **GNU Affero General Public License** as published
10 | > by the Free Software Foundation, either version 3 of the License, or
11 | > (at your option) any later version.
12 | >
13 | > This program is distributed in the hope that it will be useful,
14 | > but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | > GNU Affero General Public License for more details.
17 | >
18 | > You should have received a copy of the GNU Affero General Public License
19 | > along with this program. If not, see [http://www.gnu.org/licenses/](http://www.gnu.org/licenses/).
20 |
21 |
22 | Design
23 | ======
24 |
25 | This CA is made by a Linux system administrator for Linux system
26 | administrators. It leverages facilities of a mostly vanilla Debian/Ubuntu
27 | operating system to reduce on programming and maintenance effort.
28 |
29 | The user doesn't invoke `ssh-ca` directly. When an ssh connection
30 | is established to the server and the client authenticates as a user
31 | other than root, the SSH server loads `/usr/sbin/sudo -u sshca
32 | /usr/local/bin/ssh-ca` as a forced command. The `ssh-ca` process can
33 | read the `SSH_ORIGINAL_COMMAND` environment variable and take different
34 | actions according to the command parameters passed by the ssh client.
35 |
36 | When the command parameters contain an SSH certificate signature
37 | subcommand, a public key is expected on standard input then an SSH
38 | certificate is written to standard output and the connection is closed.
39 |
40 | Here's an overview of the call chain:
41 |
42 | `ssh-csr` → `ssh` → `sshd` → `sudo` → `ssh-ca` → `ssh-keygen`
43 |
44 |
45 | Functions of the Ansible playbook
46 | ---------------------------------
47 |
48 | * Create user accounts (regular Unix users) with their `authorized_keys`
49 | All users except root have a `ForceCommand`
50 | * Create the `sshca` user
51 | * Install `/usr/local/bin/ssh-ca`
52 | * Configure the CA
53 | * Configure the `ForceCommand` and `sudoers`
54 | * Install the SSH CA keypair(s)
55 | * Activate NTP
56 | * Create a host certificate signed by the CA
57 |
58 |
59 | Functions of `ssh-ca`
60 | ---------------------
61 |
62 | * Read its configuration
63 | * Path to the CA keys
64 | * Certificate options
65 | * Certificate validity (time window before and after "now")
66 | * Read a public key on standard input, sign it, write the certificate on standard output
67 | * Log the requests
68 | * Log the emitted certificates
69 | * Subcommands:
70 | * `user`: Sign a user certificate
71 | * `host`: Sign a host certificate
72 | * `report`: Report all certificates ever produced in CSV format
73 |
74 | Optionnal, future development:
75 |
76 | * Restrict certain principals to certain users
77 |
78 |
79 | Functions of the CA system administrator
80 | ----------------------------------------
81 |
82 | * Define CA variables in the Ansible inventory
83 | * Run the CA installation playbook `install.yml`
84 | * Rotate CA keys on a recurring basis and on a security alert basis
85 | * Revoke certificates
86 | * Audit CA and CSR logs
87 |
88 |
89 | Functions of sshd
90 | -----------------
91 |
92 | * Authenticate users authorized to obtain SSH certificates
93 | * Force the ssh-ca command on such users
94 |
95 |
96 | Functions of ssh-csr
97 | --------------------
98 |
99 | * Read the principal list from the command parameter
100 | * Establish an SSH connection to the CA, specifying the ssh-ca subcommand and parameters
101 | * Read ~/.ssh/id\_rsa.pub (or another configured identity) and write the key to ssh-ca's standard input
102 | * Close the write stream
103 | * Read the signed certificate from ssh-ca's standard output and write it to ~/ssh.id\_rsa-cert.pub (or another configured itentity)
104 |
105 |
106 | Functions of `sudo`
107 | -------------------
108 |
109 | Permit users of the `sshca` group to sign keys while preventing direct access to the CA keys.
110 |
111 |
112 | CA administrator set up
113 | =======================
114 |
115 | Before you can manage the SSH CA, you must perform a few preparation steps.
116 |
117 |
118 | Inventory
119 | ---------
120 |
121 | The inventory directory should be organized in a different repository because
122 | this repository is open sourced and will be version controlled separately.
123 |
124 | In this repository's root directory, create a symbolic link named "inventory"
125 | pointing to your inventory file or directory.
126 |
127 | ln -s ../ssh-ca-inventory inventory
128 |
129 | The CA will be installed on `ssh-ca` host group. The "inventory"
130 | file/link is not tracked by Git.
131 |
132 |
133 | Variables
134 | ---------
135 |
136 | The `vars.template.yml` file is provided as documentation-by-example for
137 | the Ansible variables that must be defined in your inventory.
138 |
139 |
140 | Ansible Vault password
141 | ----------------------
142 |
143 | If some of your variables are in an Ansible Vault, write the Vault
144 | password in the `.ansible-vault-password.txt` file at the root of this
145 | repository. This file is not tracked by Git and is referred to from the
146 | supplied `ansible.cfg` configuration file.
147 |
148 | The CA system administrators are those that have the Vault password and
149 | root access to the SSH servers of the `ssh-ca` host group. They are
150 | masters of the CA and must be trusted.
151 |
152 |
153 | SSH CA administration tasks
154 | ===========================
155 |
156 | Remove a user's key
157 | -------------------
158 |
159 | Do not remove a user's SSH key by deleting its item from the list. This
160 | will simply stop Ansible from managing this key and would leave it
161 | present on the CA server. Rather, add the "state:" key with the value
162 | "absent". Then run the next install.yml playbook run will actually
163 | remove the SSH key from the user's authorized\_keys file.
164 |
165 |
166 | Create CA keypairs
167 | ------------------
168 |
169 | On your workstation, use `ssh-keygen` to generate a keypair.
170 |
171 | ssh-keygen -C my-ca-01 -f my-ca-01
172 |
173 |
174 | -C my-ca-01- Set the key's comment to "my-ca-01". By convention, 01 is the key's sequence number. Thus you can provision multiple keys in advance to facilitate key rotation.
176 | -f my-ca-01- Provide the output filename. The public part will have `.pub` appended to the name.
178 |
179 |
180 | Then copy the content of the secret and public key files in a new `ssh_ca_keypairs` list item.
181 |
182 |
183 | Publish the CA public key for user's known hosts
184 | ------------------------------------------------
185 |
186 | Instruct your users to add the certificate authority key to their
187 | `known_hosts` file. The format of the line is:
188 |
189 | @cert-authority * keytype base64-encoded-key comment
190 |
191 | For example:
192 |
193 | @cert-authority * ssh-rsa AAAAB3NzaC1y ..... WcS60D my-ca-01
194 |
195 |
196 | Rotate host certificates
197 | ------------------------
198 |
199 | Host certificates have a 1 year validity. To renew them,
200 | `rm /etc/ssh/ssh_host_*_key-cert.pub` and run the playbook
201 | again.
202 |
203 |
204 | FreeIPA Integration
205 | ===================
206 |
207 | Forced Command SSH CA can be configured with FreeIPA integration for
208 | user authentication with SSH public key authentication. In this case,
209 | centralized sudo rules and Host Based Access Control must be carefully
210 | planned to limit access to the public key for regular users.
211 |
212 | I suggest joining the CA server to the ipa domain and setting
213 | `ssh_ca_configuration.freeipa_integration` to `yes` in host variables
214 | **before** running the `install.yml` playbook.
215 |
216 | I tested this on a Ubuntu 14.04 ipa client with two CentOS 7 ipa servers.
217 |
218 |
219 | Joining the FreeIPA domain
220 | --------------------------
221 |
222 | Install FreeIPA client
223 |
224 | aptitude install freeipa-client
225 |
226 | Update the nameservers configured in /etc/network/interfaces to point
227 | to the IPA nameservers. Assuming that DNS service is enabled on the ipa
228 | servers, this will enable service discovery.
229 |
230 | ipa-client-install --mkhomedir --no-sshd
231 |
232 | Note: The `--mkhomedir` option can be set but it doesn't seem to enable
233 | PAM's mkhomedir module. There is a task in `install.yml` that takes care
234 | of that.
235 |
236 | add sudo to the list of sssd services in `/etc/sssd/sssd.conf`:
237 |
238 | services = nss, pam, ssh, sudo
239 |
240 | Remove any unneeded keys from `/root/.ssh/authorized_keys`, especially
241 | if your provisioning infrastructure automatically inserts the CA key. It
242 | is nonsensical to authorize `ssh-ca-users` to login as root on any host
243 | in the FreeIPA domain!
244 |
245 |
246 | Administration credentials
247 | --------------------------
248 |
249 | When FreeIPA integration is used, CA administrators no longer connect
250 | to the server with the `root` user. Rather, they should have a separate
251 | user in the `ssh-ca-admins` group. For example, I have an `adeverteuil`
252 | user in the `ssh-ca-users` group and an `adeverteuil-admin` user in the
253 | `ssh-ca-admins` group.
254 |
255 | Then I run the `install.yml` playbook with the following options:
256 |
257 | ap install.yml -u adeverteuil-admin -b --become-user root
258 |
259 |
260 | FreeIPA sudo rules
261 | ------------------
262 |
263 | -sh-4.2$ ipa sudocmd-show '/usr/local/bin/ssh-ca ""'
264 | Sudo Command: /usr/local/bin/ssh-ca ""
265 | Description: forcedcommand-ssh-ca
266 |
267 | -sh-4.2$ ipa sudorule-show forcedcommand-ssh-ca
268 | Rule name: forcedcommand-ssh-ca
269 | Enabled: TRUE
270 | User Groups: ssh-ca-users
271 | Host Groups: ssh-ca
272 | Sudo Allow Commands: /usr/local/bin/ssh-ca ""
273 | RunAs External User: sshca
274 | Sudo Option: !authenticate, env_keep+=SSH_ORIGINAL_COMMAND
275 |
276 |
277 | FreeIPA users
278 | -------------
279 |
280 | This is my regular user. It is a indirect member of the `ssh-ca-users`
281 | group. For demonstration purposes I removed some irrelevant details.
282 |
283 | -sh-4.2$ ipa user-show adeverteuil
284 | User login: adeverteuil
285 | First name: Alexandre
286 | Last name: de Verteuil
287 | Home directory: /home/adeverteuil
288 | Login shell: /bin/sh
289 | Principal name: adeverteuil@SC.IWEB.COM
290 | Principal alias: adeverteuil@SC.IWEB.COM
291 | Email address: adeverteuil@inap.com
292 | UID: 1440900000
293 | GID: 1440900000
294 | SSH public key fingerprint: SHA256:hAJ0lT9FR85x+3IUyv6hLtv0bJSOc/1mWPXEGyAxPy0 adeverteuil@home-pc (ssh-rsa),
295 | SHA256:IpS5f34ur5ETLATde6kcX0SXSeOl3u4+e9XS8w2oiJo adeverteuil@home-laptop (ssh-rsa),
296 | SHA256:bh/6eKMulLfWwdrfR+S9OegfNjHiHeEoa3tFzpRq4bQ adeverteuil@work-laptop (ssh-rsa)
297 | Account disabled: False
298 | Password: True
299 | Member of groups: ipausers, ssh-ca-users
300 | Indirect Member of Sudo rule: forcedcommand-ssh-ca
301 | Indirect Member of HBAC rule: ssh certificate authority
302 | Kerberos keys available: True
303 |
304 | This is my admin user. It's a good practice to have a privileged
305 | user account for administrative work and a regular user account for
306 | day-to-day work. In this case, it is mandatory because any user in the
307 | `ssh-ca-users` group will never be able to get a shell via SSH due to
308 | the ForceCommand.
309 |
310 | In this case, the user is member of the `ssh-ca-admins` group.
311 |
312 | -sh-4.2$ ipa user-show adeverteuil-admin
313 | User login: adeverteuil-admin
314 | First name: Alexandre
315 | Last name: de Verteuil
316 | Home directory: /home/adeverteuil-admin
317 | Login shell: /bin/sh
318 | Principal name: adeverteuil-admin@SC.IWEB.COM
319 | Principal alias: adeverteuil-admin@SC.IWEB.COM
320 | Email address: adeverteuil-admin@sc.iweb.com
321 | UID: 1440900008
322 | GID: 1440900008
323 | SSH public key fingerprint: SHA256:bh/6eKMulLfWwdrfR+S9OegfNjHiHeEoa3tFzpRq4bQ adeverteuil@work-laptop (ssh-rsa)
324 | Account disabled: False
325 | Password: True
326 | Member of groups: ipausers, ssh-ca-admins, admins
327 | Indirect Member of Sudo rule: sc-infra-admin sudo on SC infrastructure
328 | Indirect Member of HBAC rule: ssh-ca-administration, sc-infra-admins
329 | Kerberos keys available: True
330 |
331 |
332 | FreeIPA HBAC
333 | ------------
334 |
335 | It is important to disable the default `allow_all` HBAC rule.
336 |
337 | This new rule allows members of the `ssh-ca-admins` group to ssh into the CA server.
338 |
339 | -sh-4.2$ ipa hbacrule-show ssh-ca-administration
340 | Rule name: ssh-ca-administration
341 | Description: Members of ssh-ca-admins get shell access on the CA servers. Users of this group should not be members of ssh-ca-users, otherwise the ssh ForceCommand will be in effect and prevent ssh-ca-admins
342 | from getting a ssh terminal.
343 | Enabled: TRUE
344 | User Groups: ssh-ca-admins
345 | Host Groups: ssh-ca
346 | Services: login, sshd
347 | Service Groups: Sudo
348 |
349 | This also grants ssh access to the `ssh-ca-users` group, and the ForceCommand in `sshd_config` is enforced on this group name.
350 |
351 | -sh-4.2$ ipa hbacrule-show "ssh certificate authority"
352 | Rule name: ssh certificate authority
353 | Enabled: TRUE
354 | User Groups: ssh-ca-users
355 | Host Groups: ssh-ca
356 | Services: sshd
357 |
--------------------------------------------------------------------------------
/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | remote_user = root
3 | retry_files_enabled = False
4 | ansible_managed = This file is managed by Ansible. Do not edit manually!
5 | vault_password_file = .ansible-vault-password.txt
6 | inventory = inventory
7 |
--------------------------------------------------------------------------------
/files/ssh-ca:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # ssh-ca
4 | #
5 | # This file is part of forced-command-ssh-ca, a self-serve automated SSH
6 | # certificate authority implemented as an SSH forced command
7 | # Copyright (C) 2018 Alexandre de Verteuil
8 | #
9 | # This program is free software: you can redistribute it and/or modify
10 | # it under the terms of the GNU Affero General Public License as published
11 | # by the Free Software Foundation, either version 3 of the License, or
12 | # (at your option) any later version.
13 | #
14 | # This program is distributed in the hope that it will be useful,
15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 | # GNU Affero General Public License for more details.
18 | #
19 | # You should have received a copy of the GNU Affero General Public License
20 | # along with this program. If not, see .
21 |
22 | . /etc/ssh-ca.conf
23 |
24 | run_id="$(uuid)"
25 | user_id="${SUDO_USER:-$USER}"
26 |
27 | function log_debug() {
28 | flock /var/log/ssh-ca/debug.log \
29 | echo "$(date "+%F %T") ${run_id} ${*}" \
30 | >> /var/log/ssh-ca/debug.log
31 | }
32 |
33 | function log_output() {
34 | log_debug "CALL ${*}"
35 | output="$("${@}" 2>&1)"
36 | rc=$?
37 | log_debug "RETURN ${rc}"
38 | log_debug "OUTPUT ${output}"
39 | return ${rc}
40 | }
41 |
42 | function log_certificate() {
43 | flock /var/log/ssh-ca/certificates.log \
44 | dd oflag=append conv=notrunc status=none \
45 | if="${cert}" \
46 | of=/var/log/ssh-ca/certificates.log
47 | }
48 |
49 | function sign_key() {
50 | # Files and IO related variables
51 | mkdir -p /tmp/ssh-ca
52 | pubkey="/tmp/ssh-ca/${run_id}.pub"
53 | cert="/tmp/ssh-ca/${run_id}-cert.pub"
54 |
55 | # Expect a public key on stdin
56 | dd bs=1K count=10 of="${pubkey}" status=none
57 | log_output ssh-keygen -l -f "${pubkey}"
58 | rc=$?
59 | if [ ${rc} -gt 0 ]; then
60 | echo ERROR: input is not a well-formed SSH public key
61 | rm "${pubkey}"
62 | exit ${rc}
63 | fi
64 |
65 | # Certificate signature parameters
66 | ca_key="/usr/local/lib/ssh-ca/${SSH_CA_KEY}"
67 | serial="$(date +%s)"
68 | principals="${arguments[1]}"
69 | if [ "${arguments[0]}" = "user" ]; then
70 | validity="${SSH_CA_CERTIFICATE_VALIDITY}"
71 | identity="${user_id}"
72 | options="${SSH_CA_CERTIFICATE_OPTIONS}"
73 | host_cert=""
74 | else
75 | validity="-10m:+365d"
76 | identity="CA=${SSH_CA_KEY} REQUESTOR=${user_id}"
77 | options=""
78 | host_cert="-h"
79 | fi
80 |
81 | # Validation
82 | if [ -z "${principals}" ]; then
83 | log_debug "ERROR: Empty PRINCIPALS parameter"
84 | echo "ERROR: The PRINCIPALS parameter cannot be empty"
85 | exit 1
86 | fi
87 |
88 | # Actual signature happens here
89 | log_output ssh-keygen \
90 | -P "" \
91 | -s "${ca_key}" \
92 | ${host_cert} \
93 | -I "${identity}" \
94 | -V "${validity}"${options} \
95 | -n "${principals}" \
96 | -z "${serial}" \
97 | "${pubkey}"
98 | rc=$?
99 |
100 | # Cleanup
101 | rm "${pubkey}"
102 | if [ ${rc} -eq 0 ]; then
103 | log_certificate
104 | cat "${cert}"
105 | rm "${cert}"
106 | else
107 | echo "ERROR: no certificate was produced"
108 | echo "See the debug log on the CA server for more details"
109 | exit ${rc}
110 | fi
111 | }
112 |
113 | function print_licence() {
114 | echo "This is forced-command-ssh-ca, a self-serve automated SSH"
115 | echo "certificate authority implemented as an SSH forced command"
116 | echo "Copyright (C) 2018 Alexandre de Verteuil"
117 | echo ""
118 | echo "This program is free software: you can redistribute it and/or modify"
119 | echo "it under the terms of the GNU Affero General Public License as published"
120 | echo "by the Free Software Foundation, either version 3 of the License, or"
121 | echo "(at your option) any later version."
122 | echo ""
123 | echo "This program is distributed in the hope that it will be useful,"
124 | echo "but WITHOUT ANY WARRANTY; without even the implied warranty of"
125 | echo "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the"
126 | echo "GNU Affero General Public License for more details."
127 | echo ""
128 | echo "You should have received a copy of the GNU Affero General Public License"
129 | echo "along with this program. If not, see ."
130 | echo ""
131 | echo "The source code is available at"
132 | echo "https://github.com/adeverteuil/forced-command-ssh-ca"
133 | }
134 |
135 | function print_usage() {
136 | echo "Forced Command SSH CA"
137 | echo "Copyright (C) 2018 Alexandre de Verteuil"
138 | echo ""
139 | echo "Usage:"
140 | echo " host PRINCIPALS"
141 | echo " Sign a host certificate"
142 | echo " user PRINCIPALS"
143 | echo " Sign a user certificate"
144 | echo " PRINCIPALS is a mandatory comma-separated list of principals"
145 | echo " to include in the signed certificate"
146 | echo " report"
147 | echo " Print the list of all certificates ever signed"
148 | echo " Example report details on the last 10 certificates:"
149 | echo " $ ssh ssh-ca report | ssh-keygen -L -f <(tail)"
150 | echo " licence"
151 | echo " Print licencing information about this free software"
152 | echo ""
153 | echo "COMMAND=$SSH_ORIGINAL_COMMAND"
154 | echo "USER=$user_id"
155 | echo "SSH_CA_KEY=$SSH_CA_KEY"
156 | echo "SSH_CA_CERTIFICATE_VALIDITY=$SSH_CA_CERTIFICATE_VALIDITY"
157 | echo "SSH_CA_CERTIFICATE_OPTIONS=$SSH_CA_CERTIFICATE_OPTIONS"
158 | }
159 |
160 | log_debug "SSH_ORIGINAL_COMMAND \"${SSH_ORIGINAL_COMMAND}\""
161 | read -a arguments <<< "${SSH_ORIGINAL_COMMAND}"
162 | case "${arguments[0]}" in
163 | user|host)
164 | sign_key "${subcommand}"
165 | ;;
166 | report)
167 | cat "/var/log/ssh-ca/certificates.log"
168 | ;;
169 | licence)
170 | print_licence
171 | ;;
172 | *)
173 | print_usage
174 | ;;
175 | esac
176 |
--------------------------------------------------------------------------------
/files/ssh-ca.motd:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Generated with figlet -t "Forced Command SSH CA"
3 | cat <<"EOF"
4 | _____ _ ____ _ ____ ____ _ _ ____ _
5 | | ___|__ _ __ ___ ___ __| | / ___|___ _ __ ___ _ __ ___ __ _ _ __ __| | / ___/ ___|| | | | / ___| / \
6 | | |_ / _ \| '__/ __/ _ \/ _` | | | / _ \| '_ ` _ \| '_ ` _ \ / _` | '_ \ / _` | \___ \___ \| |_| | | | / _ \
7 | | _| (_) | | | (_| __/ (_| | | |__| (_) | | | | | | | | | | | (_| | | | | (_| | ___) |__) | _ | | |___ / ___ \
8 | |_| \___/|_| \___\___|\__,_| \____\___/|_| |_| |_|_| |_| |_|\__,_|_| |_|\__,_| |____/____/|_| |_| \____/_/ \_\
9 |
10 | * Documentation, licence and source code: https://github.com/adeverteuil/forced-command-ssh-ca
11 | EOF
12 |
--------------------------------------------------------------------------------
/files/sudoers-sshca:
--------------------------------------------------------------------------------
1 | # Allow members of the sshca group to run /usr/local/bin/ssh-ca as the sshca user.
2 | # Preserve the SSH_ORIGINAL_COMMAND environment variable.
3 | Defaults!/usr/local/bin/ssh-ca env_keep += SSH_ORIGINAL_COMMAND
4 | %ssh-ca-users ALL = (sshca) NOPASSWD: /usr/local/bin/ssh-ca ""
5 |
--------------------------------------------------------------------------------
/install.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: ssh-ca
3 |
4 | tasks:
5 |
6 | - name: install required packages
7 | apt:
8 | name: "{{ item }}"
9 | state: present
10 | with_items:
11 | - ntp
12 | - uuid
13 |
14 | - name: create the sshca user
15 | user:
16 | name: sshca
17 | system: yes
18 | createhome: no
19 |
20 | - name: install ssh-ca
21 | copy:
22 | src: ssh-ca
23 | dest: /usr/local/bin/ssh-ca
24 | owner: sshca
25 | group: sshca
26 | mode: 0750
27 |
28 | - name: configure ssh-ca
29 | template:
30 | src: ssh-ca.conf.j2
31 | dest: /etc/ssh-ca.conf
32 |
33 | - name: configure sshd
34 | template:
35 | src: sshd_config.j2
36 | dest: /etc/ssh/sshd_config
37 | notify: restart ssh
38 |
39 | - name: create the CA directory
40 | file:
41 | dest: /usr/local/lib/ssh-ca
42 | state: directory
43 | owner: sshca
44 | group: sshca
45 | mode: 0700
46 |
47 | - name: install CA secret keys
48 | copy:
49 | content: "{{ item.secret }}"
50 | dest: /usr/local/lib/ssh-ca/{{ item.name }}
51 | owner: sshca
52 | group: sshca
53 | mode: 0600
54 | with_items: "{{ ssh_ca_keypairs }}"
55 | no_log: True
56 |
57 | - name: install CA public keys
58 | copy:
59 | content: "{{ item.public }}"
60 | dest: /usr/local/lib/ssh-ca/{{ item.name }}.pub
61 | owner: sshca
62 | group: sshca
63 | mode: 0640
64 | with_items: "{{ ssh_ca_keypairs }}"
65 | no_log: True
66 |
67 | - name: stat the key specified in ssh_ca_configuration.use_ca_key
68 | stat:
69 | path: /usr/local/lib/ssh-ca/{{ ssh_ca_configuration.use_ca_key }}
70 | register: stat_key
71 |
72 | - name: assert that use_ca_key is set to the name of an ssh_ca_keypairs item
73 | assert:
74 | that: stat_key.stat.exists
75 | msg: "{{ ssh_ca_configuration.use_ca_key }} is not a key defined in ssh_ca_keypairs"
76 |
77 | - name: create the log directory
78 | file:
79 | dest: /var/log/ssh-ca
80 | state: directory
81 | owner: sshca
82 | group: sshca
83 | mode: 0750
84 |
85 | - name: find all the host keys
86 | command: sed -n '/^HostKey/s/^HostKey *//p' /etc/ssh/sshd_config
87 | register: host_keys
88 | check_mode: no
89 | changed_when: no
90 |
91 | - name: sign the host keys
92 | command: ssh-keygen -s "/usr/local/lib/ssh-ca/{{ ssh_ca_configuration.use_ca_key }}"
93 | -h
94 | -P ""
95 | -I "{{ ssh_ca_configuration.use_ca_key }}"
96 | -V "-1h:+365d"
97 | -n "{{ ansible_eth0.ipv4.address }},{{ ansible_fqdn }}{% for principal in ssh_ca_configuration.additional_host_principals|default([]) %},{{ principal }}{% endfor %}"
98 | -z "{{ ansible_date_time.epoch }}"
99 | "{{ item }}.pub"
100 | args:
101 | creates: "{{ item }}-cert.pub"
102 | with_items: "{{ host_keys.stdout_lines }}"
103 | notify: restart ssh
104 |
105 | # https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
106 | - name: Add pam mkhomedir module for external (ipa) users
107 | lineinfile:
108 | dest: /etc/pam.d/common-session
109 | line: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
110 | insertafter: 'session required pam_unix\.so'
111 |
112 | - name: put ASCII art in the motd
113 | copy:
114 | src: ssh-ca.motd
115 | dest: /etc/update-motd.d/99-forced-command-ssh-ca
116 | mode: 0755
117 |
118 | handlers:
119 |
120 | - name: restart ssh
121 | service:
122 | name: ssh
123 | state: restarted
124 |
--------------------------------------------------------------------------------
/ssh-csr:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # ssh-csr 1.1
4 | #
5 | # Licence and copyright
6 | #
7 | # This file is part of forced-command-ssh-ca, a self-serve automated SSH
8 | # certificate authority implemented as an SSH forced command
9 | # Copyright (C) 2018 Alexandre de Verteuil
10 | #
11 | # This program is free software: you can redistribute it and/or modify
12 | # it under the terms of the GNU Affero General Public License as published
13 | # by the Free Software Foundation, either version 3 of the License, or
14 | # (at your option) any later version.
15 | #
16 | # This program is distributed in the hope that it will be useful,
17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 | # GNU Affero General Public License for more details.
20 | #
21 | # You should have received a copy of the GNU Affero General Public License
22 | # along with this program. If not, see .
23 | #
24 | # ssh-csr establishes an SSH session with ssh-ca, specifies the
25 | # request is for a user certificate and what principals the
26 | # request is for, sends the public key from the file specified in
27 | # the SSH_CSR_IDENTITY environment variable, receives a signed
28 | # certificate valid for the requested principals, and writes it in a
29 | # file with the -cert.pub suffix.
30 | #
31 | # How to use
32 | #
33 | # To tell ssh-csr what public key to send, define the
34 | # SSH_CSR_IDENTITY environment variable in your .bashrc. If you
35 | # don't define it, $HOME/.ssh/id_rsa.pub will be used by default.
36 | #
37 | # Add the certificate authority to your known_hosts file. You can
38 | # do so by adding a line in your ~/.ssh/known_hosts:
39 | #
40 | # @cert-authority * ssh-rsa AAAAB5W...
41 | #
42 | # Ask your CA administrator what's your @cert-authority.
43 | #
44 | # Remain attentive to your CA administrator for @revoked lines to
45 | # add and @cert-authority lines to remove or add.
46 | #
47 | # In your ~/.ssh/config file, define a Host ssh-ca and specify the
48 | # HostName, User, Identity, etc. of your CA. Request help from your
49 | # CA administrator for the correct values.
50 | #
51 | # Test your config and known_hosts with "ssh ssh-ca config"
52 | # In the debug output, you should see:
53 | #
54 | # debug1: Server host certificate: ecdsa-sha2…
55 | # debug1: Host 'ssh-ca.example.com' is known and matches the ECDSA-CERT host certificate.
56 | # debug1: Found CA key in /home/adeverteuil/.ssh/known_hosts:76
57 | #
58 | # Copy ssh-csr to your $PATH, such as ~/bin or /usr/local/bin.
59 | #
60 | # Request a certificate by calling ssh-csr with the comma-separated
61 | # list of principals to include in your certificate.
62 | #
63 | # For example:
64 | # $ ssh-csr principal1,principal2
65 | # /home/adeverteuil/.ssh/id_rsa-cert.pub:
66 | # Type: ssh-rsa-cert-v01@openssh.com user certificate
67 | # Public key: RSA-CERT SHA256:bh/6eKMulLfWwdrfR+S9OegfNjHiHeEoa3tFzpRq4bQ
68 | # Signing CA: RSA SHA256:vrAgOA20VjUdXkfQYcEdJV1qlKYqp6A67wQ5IK+0pkk
69 | # Key ID: "adeverteuil"
70 | # Serial: 1514748458
71 | # Valid: from 2017-12-31T14:17:38 to 2017-12-31T14:37:38
72 | # Principals:
73 | # principal1
74 | # principal2
75 | # Critical Options: (none)
76 | # Extensions:
77 | # permit-X11-forwarding
78 | # permit-agent-forwarding
79 | # permit-port-forwarding
80 | # permit-pty
81 | # permit-user-rc
82 |
83 | identity="${SSH_CSR_IDENTITY:-$HOME/.ssh/id_rsa.pub}"
84 | cert="${identity%.pub}-cert.pub"
85 |
86 | # Running ssh-csr without parameters prints the current certificate details
87 | if [ -z "${1}" ]; then
88 | [ -r "${cert}" ] && ssh-keygen -L -f "${cert}"
89 | exit
90 | fi
91 |
92 | output="$(ssh ssh-ca user "${1}" <"${identity}" 2>&1)"
93 | rc=$?
94 |
95 | if [ ${rc} -eq 0 ]; then
96 | echo "${output}" > "${cert}"
97 | ssh-keygen -L -f "${cert}"
98 | else
99 | echo "${output}"
100 | fi
101 |
--------------------------------------------------------------------------------
/templates/ssh-ca.conf.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 | {% set config = ssh_ca_configuration %}
3 | SSH_CA_KEY="{{ config.use_ca_key }}"
4 | SSH_CA_CERTIFICATE_VALIDITY="{{ config.certificate_validity }}"
5 | SSH_CA_CERTIFICATE_OPTIONS="{% for option in config.certificate_options|default([]) %} -O {{ option }}{% endfor %}"
6 |
--------------------------------------------------------------------------------
/templates/sshd_config.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 |
3 | Port 22
4 | Protocol 2
5 | # HostKeys for protocol version 2
6 | HostKey /etc/ssh/ssh_host_rsa_key
7 | HostKey /etc/ssh/ssh_host_dsa_key
8 | HostKey /etc/ssh/ssh_host_ecdsa_key
9 | HostKey /etc/ssh/ssh_host_ed25519_key
10 | HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
11 | HostCertificate /etc/ssh/ssh_host_dsa_key-cert.pub
12 | HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
13 | HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
14 | #Privilege Separation is turned on for security
15 | UsePrivilegeSeparation yes
16 |
17 | # Lifetime and size of ephemeral version 1 server key
18 | KeyRegenerationInterval 3600
19 | ServerKeyBits 1024
20 |
21 | # Logging
22 | SyslogFacility AUTH
23 | LogLevel INFO
24 |
25 | # Authentication:
26 | LoginGraceTime 120
27 | PermitRootLogin without-password
28 | StrictModes yes
29 |
30 | RSAAuthentication yes
31 | PubkeyAuthentication yes
32 | #AuthorizedKeysFile %h/.ssh/authorized_keys
33 | {% if ssh_ca_configuration.freeipa_integration|default(False) %}
34 | AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
35 | AuthorizedKeysCommandUser nobody
36 | {% endif %}
37 |
38 | # Don't read the user's ~/.rhosts and ~/.shosts files
39 | IgnoreRhosts yes
40 | # For this to work you will also need host keys in /etc/ssh_known_hosts
41 | RhostsRSAAuthentication no
42 | # similar for protocol version 2
43 | HostbasedAuthentication no
44 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
45 | #IgnoreUserKnownHosts yes
46 |
47 | # To enable empty passwords, change to yes (NOT RECOMMENDED)
48 | PermitEmptyPasswords no
49 |
50 | # Change to yes to enable challenge-response passwords (beware issues with
51 | # some PAM modules and threads)
52 | ChallengeResponseAuthentication no
53 |
54 | # Change to no to disable tunnelled clear text passwords
55 | PasswordAuthentication no
56 |
57 | X11Forwarding no
58 | PrintMotd no
59 | PrintLastLog yes
60 | TCPKeepAlive yes
61 |
62 | #MaxStartups 10:30:60
63 | MaxStartups 50:20:100
64 | #MaxSessions 10
65 | MaxSessions 50
66 | #Banner /etc/issue.net
67 |
68 | # Allow client to pass locale environment variables
69 | AcceptEnv LANG LC_*
70 |
71 | Subsystem sftp /usr/lib/openssh/sftp-server
72 |
73 | # Set this to 'yes' to enable PAM authentication, account processing,
74 | # and session processing. If this is enabled, PAM authentication will
75 | # be allowed through the ChallengeResponseAuthentication and
76 | # PasswordAuthentication. Depending on your PAM configuration,
77 | # PAM authentication via ChallengeResponseAuthentication may bypass
78 | # the setting of "PermitRootLogin without-password".
79 | # If you just want the PAM account and session checks to run without
80 | # PAM authentication, then enable this but set PasswordAuthentication
81 | # and ChallengeResponseAuthentication to 'no'.
82 | UsePAM yes
83 |
84 | # Any non-root users are CA users which can only use the SSH server to sign SSH certificates.
85 | Match Group ssh-ca-users
86 | ForceCommand /usr/bin/sudo -u sshca /usr/local/bin/ssh-ca
87 | AllowAgentForwarding no
88 | AllowTcpForwarding no
89 |
--------------------------------------------------------------------------------
/test.yml:
--------------------------------------------------------------------------------
1 | # Do various integration tests on the SSH CA
2 |
--------------------------------------------------------------------------------
/users.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: ssh-ca
3 |
4 | tasks:
5 |
6 | - name: add the ssh-ca-users group to the sudoers for the forced command
7 | copy:
8 | src: sudoers-sshca
9 | dest: /etc/sudoers.d/sshca
10 | mode: 0440
11 | when: ssh_ca_configuration.freeipa_integration
12 |
13 | - name: remove the local sudoers config if freeipa_integration is false
14 | file:
15 | dest: /etc/sudoers.d/sshca
16 | state: absent
17 | when: not ssh_ca_configuration.freeipa_integration
18 |
19 | - name: create the ssh-ca-users group
20 | group:
21 | name: ssh-ca-users
22 | state: present
23 |
24 | - name: create users
25 | user:
26 | name: "{{ item.name }}"
27 | comment: "{{ item.comment|default(omit) }}"
28 | groups: ssh-ca-users
29 | state: "{{ item.state|default(omit) }}"
30 | with_items: "{{ ssh_ca_users }}"
31 |
32 | - name: provision authorized SSH keys for users
33 | authorized_key:
34 | user: "{{ item.0.name }}"
35 | key: "{{ item.1.key }}"
36 | state: "{{ item.1.state|default('present') }}"
37 | with_subelements:
38 | - "{{ ssh_ca_users }}"
39 | - ssh_keys
40 | when: item.0.state|default("present") == "present"
41 |
42 | - name: provision superuser SSH keys
43 | authorized_key:
44 | user: "{{ ansible_user }}"
45 | key: "{{ item.1.key }}"
46 | state: "{% if item.0.state|default('present') == 'present' and item.0.superuser|default(False) and item.1.state|default('present') == 'present' %}present{% else %}absent{% endif %}"
47 | with_subelements:
48 | - "{{ ssh_ca_users }}"
49 | - ssh_keys
50 |
--------------------------------------------------------------------------------
/vars.template.yml:
--------------------------------------------------------------------------------
1 | # vi: nowrap
2 | ---
3 | ssh_ca_users:
4 | - name: adeverteuil # Valid POSIX username
5 | comment: Alexandre de Verteuil
6 | ssh_keys:
7 | - key: ecdsa-sha2-nistp256 AAAAE2VjZHNh......2zt4HI= adeverteuil@work-laptop
8 | - key: ssh-rsa AAAAB3NzaC1yc2E......N30aU+jIn adeverteuil@work-laptop
9 | state: absent # Remove this old SSH key
10 | - name: jsmith
11 | comment: John Smith
12 | ssh_keys:
13 | - ...
14 | state: absent # Disabling the user
15 |
16 | # You better define this variable in an Ansible Vault
17 | ssh_ca_keypairs:
18 | - name: iweb-sc-01
19 | secret: |
20 | -----BEGIN RSA PRIVATE KEY-----
21 | MIIEowIBAAKCAQEAwpQh5AdhGSK5/yHjkjjBAT6tdMjeOapLUVUymiEeIxIc2GaI
22 | 3ivZ8ZaXX7WzbvSX8vXLw5DzpOHz+oa4gfUyKPePKv/WBKVP5qJrVY2R6AWINowL
23 | [...]
24 | dUBJmynMHRW1DicDedfkjBBQN2y/EOYYjX1nhLyNxPYCaL4fphc+kKHcY3bYubUq
25 | UNB7VFkSAv6FEwFyWJKUlxfPX64btbIVXC71xdZrFkWX9Pwv06gc
26 | -----END RSA PRIVATE KEY-----
27 | public: ssh-rsa AAAAB3NzaC1yc.....TUHN65v iweb-sc-01
28 |
29 | ssh_ca_configuration:
30 | use_ca_key: iweb-sc-01 # The name of an ssh_ca_keypairs item
31 | certificate_validity: "-10m:+10m" # -V option for key signing
32 | certificate_options: # Options to add to the signed certificates, if any
33 | - no-port-forwarding
34 | - source-address=1.2.3.4/24,5.6.7.8/24
35 | additional_host_principals: []
36 | # Optional list of additional principal to include in the host
37 | # certificates in case the hostname is different from the DNS name
38 | # used to connect to the ssh-ca.
39 |
--------------------------------------------------------------------------------