-
Notifications
You must be signed in to change notification settings - Fork 20
/
adhoc-sshd_sign_host_key.yml
107 lines (95 loc) · 3.84 KB
/
adhoc-sshd_sign_host_key.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
---
# This adhoc playbook can be used to boostrap a newly deployed node (included in another one)
# It will retrieve the sshd host pub keys (so first user manually connecting will have to validate it
# and then it will submit those .pub files for signing by the central CA
# Once done, it will put back in place the signed files
# Standard baseline role can then really configure sshd_config, using the /etc/ssh/ssh_host_rsa_key-cert.pub
# From that point, any host using the deployed known_hosts file will be able to connect without any warning
# Purposes: being able to use ssh certificats (see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-signing_ssh_certificates)
# Needed variables (in your inventory)
# ssh_ca_host: which host (from your inventory) is the signing host
# ssh_ca_keystore: file on disk on the CA host that will contain the nodes files
# ssh_ca_host_key: the ssh private key that will be used to sign all the .pub files
- hosts: all
become: True
tasks:
- meta: clear_facts
- name: Ad-hoc task, ensuring we delete first
file:
path: "{{ ssh_ca_keystore }}/{{ inventory_hostname }}"
state: absent
delegate_to: "{{ ssh_ca_host }}"
- name: Ensuring we have directory to store nodes .pub files on CA host
file:
path: "{{ ssh_ca_keystore }}/{{ inventory_hostname }}"
state: directory
owner: root
group: root
mode: 0700
delegate_to: "{{ ssh_ca_host }}"
- name: Finding generated host ssh key on node
find:
paths: /etc/ssh
file_type: file
patterns: "ssh_host_*_key.pub"
register: ssh_host_pubkeys
- name: Copy ssh pub keys from node locally
fetch:
src: "{{ item.path }}"
dest: /var/tmp/ssh-pub-keys-{{ inventory_hostname }}/
flat: yes
with_items: "{{ ssh_host_pubkeys.files }}"
loop_control:
label: '{{ item.path }}'
- meta: clear_facts
- name: Ensuring we have needed .pub files on CA host
copy:
src: "/var/tmp/ssh-pub-keys-{{ inventory_hostname }}/"
dest: "{{ ssh_ca_keystore }}/{{ inventory_hostname }}/"
delegate_to: "{{ ssh_ca_host }}"
register: files_to_sign
- name: Signing host pub keys with CA key
shell: "ssh-keygen -s {{ ssh_ca_host_key }} -I {{ inventory_hostname }} -h ssh_host*_key.pub"
args:
chdir: "{{ ssh_ca_keystore }}/{{ inventory_hostname }}/"
when: files_to_sign is changed
register: ssh_signing
delegate_to: "{{ ssh_ca_host }}"
- name: Find new -cert.pub files on CA host
find:
paths: "{{ ssh_ca_keystore }}/{{ inventory_hostname }}/"
file_type: file
patterns: "ssh_host*-cert.pub"
register: ssh_signed_certs
delegate_to: "{{ ssh_ca_host }}"
when: ssh_signing is changed
- name: Copy -cert.pub files back from CA host
fetch:
src: "{{ item.path }}"
dest: "/var/tmp/ssh-pub-keys-{{ inventory_hostname }}/"
flat: yes
with_items: "{{ ssh_signed_certs.files }}"
delegate_to: "{{ ssh_ca_host }}"
loop_control:
label: "{{ item.path }}"
when: ssh_signing is changed
- name: Find new -cert.pub files locally
find:
paths: "/var/tmp/ssh-pub-keys-{{ inventory_hostname }}/"
file_type: file
patterns: "ssh_host*-cert.pub"
register: ssh_signed_certs
delegate_to: localhost
become: False
when: ssh_signing is changed
- name: Pushing back signed -cert.pub files back on the node
copy:
src: "{{ item.path }}"
dest: /etc/ssh/
with_items: "{{ ssh_signed_certs.files }}"
when: ssh_signing is changed
loop_control:
label: "{{ item.path }}"
notify: restart_sshd
handlers:
- import_tasks: handlers/main.yml