60 lines
1.3 KiB
Markdown
60 lines
1.3 KiB
Markdown
# Janus
|
|
|
|
Janus is the god of doorways and passages.
|
|
|
|
## Setup
|
|
|
|
### Step-CA [Getting Started]
|
|
|
|
[Getting Started]: https://smallstep.com/docs/step-ca/getting-started/
|
|
|
|
```
|
|
step ca init --ssh --acme
|
|
```
|
|
|
|
### [Running `step-ca` as a Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production/#running-step-ca-as-a-daemon)
|
|
|
|
### [Renewal using `systemd` timers](https://smallstep.com/docs/step-ca/renewal/#renewal-using-systemd-timers)
|
|
|
|
## SSH Certificates
|
|
|
|
### Server
|
|
|
|
Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.
|
|
|
|
```
|
|
step ssh certificate --host --sign \
|
|
--principal janus --principal janus.john-stream.com \
|
|
--provisioner admin \
|
|
janus /etc/ssh/ssh_host_ed25519_key.pub
|
|
```
|
|
|
|
Get the (public) cert for the CA that signs the user SSH certs from step-ca.
|
|
|
|
```
|
|
step ssh config --roots > /etc/ssh/ssh_user_ca.pub
|
|
```
|
|
|
|
Configure sshd to point to the key/cert combo.
|
|
|
|
```
|
|
cat <<EOF > /etc/ssh/sshd_config.d/certs.conf
|
|
TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
EOF
|
|
```
|
|
|
|
```
|
|
systemctl reload sshd
|
|
```
|
|
|
|
### Client
|
|
|
|
```
|
|
step ssh certificate --sign \
|
|
--principal root --principal john \
|
|
--provisioner admin \
|
|
john@john-pc-ubuntu ~/.ssh/id_ed25519.pub
|
|
```
|