Janus

Janus is the god of doorways and passages.

Setup

Step-CA Getting Started

step ca init --ssh --acme

Running step-ca as a Daemon

Renewal using systemd timers

SSH Certificates

Install script:

curl -sL https://gitea.john-stream.com/john/janus/raw/branch/main/scripts/ssh-server-check.sh | bash

Server

Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.

export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) && \
export HOSTNAME=$(hostname -s) && \
step ssh certificate --host --sign \
--principal "$HOSTNAME" \
--principal "$HOSTNAME.john-stream.com" \
--principal "$IP_ADDRESS" \
--provisioner admin \
"$HOSTNAME" /etc/ssh/ssh_host_ed25519_key.pub

Get the (public) cert for the CA that signs the user SSH certs from step-ca.

step ssh config --roots > /etc/ssh/ssh_user_ca.pub

Configure sshd to point to the key/cert combo.

cat <<EOF > /etc/ssh/sshd_config.d/certs.conf
TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
EOF

systemctl reload sshd

Client

Trust certs that are signed by Janus:

(umask 022; cat <<EOF > ~/.ssh/known_hosts
@cert-authority *.john-stream.com,192.168.1.* $(step ssh config --host --roots)
EOF
)

step ssh certificate --sign \
--principal root --principal john \
--provisioner admin \
john ~/.ssh/id_ed25519.pub