readme update

README.md

@@ -18,6 +18,12 @@ step ca init --ssh --acme
 
 ## SSH Certificates
 
+Install script:
+
+```bash
+bash <(curl -sL https://gitea.john-stream.com/john/janus/raw/branch/main/scripts/ssh-server-check.sh)
+```
+
 ### Server
 
 Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.

scripts/ssh-client.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+
+#
+# Env vars
+#
+
+SSH_CFG_PATH="$(readlink -f ~/.ssh)"
+SSH_USER_KEY="$SSH_CFG_PATH/id_ed25519"
+SSH_USER_PUBLIC_KEY="$SSH_USER_KEY.pub"
+SSH_USER_CERT="$SSH_USER_KEY-cert.pub"
+
+GREEN_CHECK="\e[32m✔\e[0m"
+RED_X="\e[31m✗\e[0m"
+YELLOW_BANG="\e[33m!\e[0m"
+MAGENTA_QUESTION="\e[35m?\e[0m"
+UP_ONE_LINE="\e[1A"
+
+#
+# Function Definitions
+#
+
+reset_line() {
+    echo -en "\r\e[K"
+}
+
+title_msg() {
+    local title="\e[1m${1:-Title}:\e[0m"
+    local prompt="${2:-Prompt for the user}"
+    # printf "%b %b" "$title" "$prompt"
+    echo -e "$title $prompt"
+}
+
+prompt_user() {
+    full_prompt_msg="$(title_msg "${1}" "${2}")"
+    echo -n -e "$MAGENTA_QUESTION $full_prompt_msg"
+    read -p " (y/n) " -r
+}
+
+update_prompt() {
+    local icon="$1"
+    case $# in
+        1) msg="$full_prompt_msg $REPLY";;
+        2) msg="$2";;
+        3) msg="$(title_msg "${2}" "${3}")";;
+        *) msg="Too many arguments";;
+    esac
+
+    reset_line
+    echo -e "$icon $msg"
+}
+
+reupdate_prompt() {
+    # echo -en "$UP_ONE_LINE"
+    echo -en "$UP_ONE_LINE"
+    update_prompt "$@"
+}
+
+icon_msg() {
+    local icon="$1"
+    echo -en "$icon "
+    title_msg "${@:2}"
+}
+
+success_msg() {
+    icon_msg "${GREEN_CHECK}" "$@"
+}
+
+warn_msg() {
+    icon_msg "${YELLOW_BANG}" "$@"
+}
+
+check_user_private_key() {
+    if [[ -e "$SSH_USER_KEY" ]]; then
+        success_msg "SSH User" "Private key: $SSH_USER_KEY"
+    else
+        prompt_user "SSH User" "Private key missing: ${SSH_USER_KEY}. Create?"
+        if [[ $REPLY =~ ^[Yy]$ ]]; then
+            reupdate_prompt $YELLOW_BANG "SSH User" "Creating private key"
+            ERROR_MSG=$(ssh-keygen -t ed25519 -f "$SSH_USER_KEY" -N "" 2>&1)
+            if [[ $? -eq 0 ]]; then
+                reupdate_prompt $GREEN_CHECK "SSH User" "Created private key: ${SSH_USER_KEY}"
+            else
+                reupdate_prompt $RED_X "SSH User" "Failed to create key: ${SSH_USER_KEY}"
+                echo -e "Error: $ERROR_MSG"
+            fi
+        elif [[ $REPLY =~ ^[Nn]$ ]]; then
+            reupdate_prompt $YELLOW_BANG "SSH User" "Continuing without private key"
+        fi
+    fi
+}
+
+check_user_cert() {
+    if [[ -e "$SSH_USER_CERT" ]]; then
+        success_msg "SSH User" "Certificate: $SSH_USER_CERT"
+    else
+        prompt_user "SSH User" "Cert missing. Renew cert?"
+        if [[ $REPLY =~ ^[Yy]$ ]]; then
+            if renew_user_cert; then
+                update_prompt $GREEN_CHECK "SSH User" "Renewed cert"
+            else
+                update_prompt $RED_X "SSH User" "Failed to renew cert"
+            fi
+        elif [[ $REPLY =~ ^[Nn]$ ]]; then
+            reupdate_prompt $RED_X "SSH User" "Declined to renew cert"
+        fi
+    fi
+}
+
+renew_user_cert() {
+    step ssh certificate --sign \
+        --principal root --principal john \
+        --provisioner admin \
+        john@john-pc-ubuntu ~/.ssh/id_ed25519.pub < /dev/tty
+}
+
+#
+# Run Process
+#
+
+check_user_private_key
+check_user_cert

scripts/ssh-server-check.sh

@@ -1,14 +1,30 @@
 #!/usr/bin/env bash
 
+#
+# Env vars
+#
+
+# SSH config paths
+SSH_CFG_DIR="/etc/ssh"
+SSH_USER_CA="$SSH_CFG_DIR/ssh_user_ca.pub"
+SSH_HOST_KEY="$SSH_CFG_DIR/ssh_host_ed25519_key"
+SSH_HOST_PUBLIC_KEY="$SSH_HOST_KEY.pub"
+SSH_HOST_CERT="$SSH_HOST_KEY-cert.pub"
+
 GREEN_CHECK="\e[32m✔\e[0m"
 RED_X="\e[31m✗\e[0m"
 YELLOW_BANG="\e[33m!\e[0m"
 
-#
-# Function Definition
-#
+CREATE_USER_CA=0
+CREATE_HOST_CERT=0
+NEEDS_RESTART=0
 
 
+#
+# Function Definitions
+#
+
+# This test loads the sshd config to see what values actually get parsed.
 ssh_config_val() {
     local field="$1"
     local val
@@ -21,11 +37,46 @@ ssh_config_val() {
     echo $(sshd -T 2>/dev/null | grep -i "^$field " | head -1 | awk '{print $2}')
 }
 
-green_checkmark() {
-    printf "\e[32m✔\e[0m"
+title_msg() {
+    local title="\e[1m${1:-Title}:\e[0m"
+    local prompt="${2:-Prompt for the user}"
+    # printf "%b %b" "$title" "$prompt"
+    echo -e "$title $prompt"
 }
 
-check_ssh_files() {
+prompt_user() {
+    full_prompt_msg="$(title_msg "${1}" "${2}")"
+    echo -n -e "$YELLOW_BANG $full_prompt_msg"
+    read -p " (y/n) " -n 1 -r
+}
+
+update_prompt() {
+    local icon="$1"
+    case $# in
+        1) msg="$full_prompt_msg $REPLY";;
+        2) msg="$2";;
+        3) msg="$(title_msg "${2}" "${3}")";;
+        *) msg="Too many arguments";;
+    esac
+
+    echo -en "\r\e[K"
+    echo -e "$icon $msg"
+}
+
+sign_host_cert() {
+    local if="eth0"
+    local IP_ADDRESS=$(ip -4 addr show dev $if | awk '/inet /{print $2}' | cut -d/ -f1) && \
+    local hostname=$(hostname -s) && \
+    step ssh certificate --host --sign \
+    --principal "$hostname" \
+    --principal "$hostname.john-stream.com" \
+    --principal "$IP_ADDRESS" \
+    --provisioner admin \
+    "$hostname" "$SSH_HOST_PUBLIC_KEY"
+}
+
+
+check_ssh_config_files() {
     row_success() {
         local key="$1"
         local path="$2"
@@ -70,33 +121,25 @@ check_ssh_files() {
 
     row_process "hostkey"
     row_process "hostcertificate"
+    case "$status" in
+        missing) CREATE_HOST_CERT=1;;
+    esac
     row_process "trustedusercakeys"
     case "$status" in
-        success) return ;;
-        missing)
-            # Do something if trustedusercakeys is missing
-            read -p "Create the trusted keys file? (y/n) " -n 1 -r
-            echo
-            if [[ $REPLY =~ ^[Yy]$ ]]; then
-                echo "Creating public key file at $path"
-                (step ssh config --roots > "$path")
-                echo -e "$GREEN_CHECK  Created public key file for SSH user CA"
-            fi
-            ;;
-        unconfigured) return;;
+        missing) CREATE_USER_CA=1;;
     esac
+    echo
 }
 
 ssh_fingerprint() {
 	local field="$1"
-	local ca_path
 
 	if [[ -z "$field" ]]; then
-        echo "usage: ssh_fingerprint <trusteduserca|hostcertificate|...>" >&2
+        echo "usage: ssh_fingerprint <field>" >&2
         return 2
     fi
 
-    cfg_path=$(ssh_config_val $field)
+    local cfg_path=$(ssh_config_val $field)
 
     if [[ -z "$cfg_path" ]]; then
         echo "error: sshd field '$field' not found or empty" >&2
@@ -111,55 +154,77 @@ ssh_fingerprint() {
     ssh-keygen -lf "$cfg_path" | awk '{ print $2 }'
 }
 
-install_cert_config() {
+check_cert_config() {
     local base_dir="/etc/ssh/sshd_config.d"
-    local cfg_path="${1:-$base_dir/certs.conf}"
+    local cfg_path="$base_dir/${1:-certs.conf}"
 
-    mkdir -p $(dirname $cfg_path)
-
-    cat <<EOF > $cfg_path
-TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
-HostKey /etc/ssh/ssh_host_ed25519_key
-HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+    install_cert_config() {
+        mkdir -p $(dirname $cfg_path)
+        cat <<EOF > $cfg_path
+TrustedUserCAKeys $SSH_USER_CA
+HostKey $SSH_HOST_KEY
+HostCertificate $SSH_HOST_CERT
 EOF
+    }
 
-    echo -e "$GREEN_CHECK  Configured sshd to use and accept SSH certs."
-}
-
-
-restart_sshd() {
-    if systemctl is-active --quiet sshd; then
-        local sshd_pid=$(systemctl show --property MainPID --value sshd)
-        echo "Restarting sshd service..."
-        systemctl restart sshd
-        echo -e "$GREEN_CHECK  Restarted sshd service on PID: $sshd_pid"
-    else
-        echo -e "$YELLOW_BANG  Not running sshd service"
-        read -p "Do you want to start sshd? (y/n) " -n 1 -r
-        echo
+    if [[ ! -e $cfg_path ]]; then
+        prompt_user "sshd" "Currently unconfigured for certs. Do you want to configure?"
         if [[ $REPLY =~ ^[Yy]$ ]]; then
-            systemctl start sshd
-            echo -e "$GREEN_CHECK  Started sshd"
+            install_cert_config
+            update_prompt $GREEN_CHECK "sshd" "Configured to use and accept certs"
+            NEEDS_RESTART=1
         fi
     fi
 }
 
-#
-# Run Process
-#
-
-if [[ ! -e "/etc/ssh/sshd_config.d/certs.conf" ]]; then
-    echo -e "$YELLOW_BANG  sshd not configured to use SSH certs"
-    read -p "Do you want to configure sshd? (y/n) " -n 1 -r
-    echo
-    if [[ $REPLY =~ ^[Yy]$ ]]; then
-        install_cert_config
-        restart_sshd
+restart_sshd() {
+    if [[ $NEEDS_RESTART -eq 0 ]]; then return; fi
+    echo -en "$YELLOW_BANG Restarting sshd..."
+    systemctl restart sshd
+    if [[ $? -eq 0 ]]; then
+        local sshd_pid=$(systemctl show --property MainPID --value sshd)
+        update_prompt $GREEN_CHECK "sshd" "Restarted sshd.service on PID: $sshd_pid"
+    else
+        update_prompt $RED_X "sshd" "Failed to restart sshd.service"
+        exit 1
     fi
-fi
+    echo
+}
 
-check_ssh_files
+create_files() {
+    if [[ $CREATE_HOST_CERT -eq 1 ]]; then
+        prompt_user "SSH Host" "Cert missing. Sign the ssh host cert?"
+        if [[ $REPLY =~ ^[Yy]$ ]]; then
+            update_prompt $YELLOW_BANG "Signing ssh host cert"
+            sign_host_cert
+            NEEDS_RESTART=1
+        else
+            update_prompt $RED_X
+        fi
+    fi
 
-echo ""
-echo "Host key fingerprint"
-ssh_fingerprint hostkey
+    if [[ $CREATE_USER_CA -eq 1 ]]; then
+        prompt_user "SSH Host" "Create the trusted keys file?"
+        if [[ $REPLY =~ ^[Yy]$ ]]; then
+            (step ssh config --roots > "$path")
+            update_prompt $GREEN_CHECK "SSH Host" "Created the trusted keys file for the SSH host."
+            NEEDS_RESTART=1
+        else
+            update_prompt $RED_X
+        fi
+    fi
+}
+
+
+# Run Process
+
+check_cert_config "certs.conf"
+check_ssh_config_files
+create_files
+restart_sshd
+
+title_msg "SSH Host Cert" "$SSH_HOST_CERT"
+CERT_INFO=$(ssh-keygen -Lf "$SSH_HOST_CERT")
+echo -e "$CERT_INFO" | grep "Public key"
+echo -e "$CERT_INFO" | grep "Valid"
+echo -e "$CERT_INFO" | grep -A3 "Principals"