janus/README.md

# Janus

Janus is the god of doorways and passages.

## Setup

### Step-CA [Getting Started]

[Getting Started]: https://smallstep.com/docs/step-ca/getting-started/

```
step ca init --ssh --acme
```

### [Running `step-ca` as a Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production/#running-step-ca-as-a-daemon)

### [Renewal using `systemd` timers](https://smallstep.com/docs/step-ca/renewal/#renewal-using-systemd-timers)

## SSH Certificates

Install script:

```bash
bash <(curl -sL https://gitea.john-stream.com/john/janus/raw/branch/main/scripts/ssh-server-check.sh)
```

### Server

Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.

```
export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) && \
export HOSTNAME=$(hostname -s) && \
step ssh certificate --host --sign \
--principal "$HOSTNAME" \
--principal "$HOSTNAME.john-stream.com" \
--principal "$IP_ADDRESS" \
--provisioner admin \
"$HOSTNAME" /etc/ssh/ssh_host_ed25519_key.pub
```

Get the (public) cert for the CA that signs the user SSH certs from step-ca.

```
step ssh config --roots > /etc/ssh/ssh_user_ca.pub
```

Configure sshd to point to the key/cert combo.

```
cat <<EOF > /etc/ssh/sshd_config.d/certs.conf
TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
EOF
```

```
systemctl reload sshd
```

### Client

Trust certs that are signed by Janus:

```
(umask 022; cat <<EOF > ~/.ssh/known_hosts
@cert-authority *.john-stream.com,192.168.1.* $(step ssh config --host --roots)
EOF
)
```

```
step ssh certificate --sign \
--principal root --principal john \
--provisioner admin \
john ~/.ssh/id_ed25519.pub
```