From 9ef7b2695c2e73fabac200fb6ee217e9085b83e4 Mon Sep 17 00:00:00 2001
From: Ricard Illa <ricard@trkkn.com>
Date: Fri, 2 Sep 2022 17:01:23 +0200
Subject: [PATCH] feat: ssh user certificates

---
 roles/sshd/files/user_ca.pub        | 42 +++++++++++++++++++++++++++++
 roles/sshd/tasks/certs.yml          |  8 ++++++
 roles/sshd/templates/sshd_config.j2 |  1 +
 3 files changed, 51 insertions(+)
 create mode 100644 roles/sshd/files/user_ca.pub

diff --git a/roles/sshd/files/user_ca.pub b/roles/sshd/files/user_ca.pub
new file mode 100644
index 0000000..31dc5fd
--- /dev/null
+++ b/roles/sshd/files/user_ca.pub
@@ -0,0 +1,42 @@
+$ANSIBLE_VAULT;1.1;AES256
+32383133323435383365396430333735333632656236613033653135346661663239313334346461
+6139323339396239383838326465633630383733636533300a383762326630653932656532393531
+32336463623836393233633462636465613631376231363566353937626337333739626335663235
+6530313532633734630a346436313263303336633462376665643937623636393965613534383831
+39643230326538396537663132326464363937353762396430323638636565383764633738663063
+39333831383662303830396530363932323733636464616331313336326662343166633839353333
+65353464313065373664616434613333666334316532316537653934653661646565626230383238
+36366431393736653439303038653466663336633735313863386164626333386434316430306566
+31383965626338303361313262313533633534353238393033393964356464356163373839666166
+34346632643235306432666237333338343535636465643538383238323033383862316435373637
+30613139336239363661313236393431376261363930383064623535303034623334626235643732
+61396131643532383663353834663161303939326166633664336536313530316430346130333463
+31633562626131393961323864313938363666666330623364656137386264643633393239383734
+30373162353964366664666330613930633335363537616332363264663763653830653965393462
+62346431616165303161633935343432633037373364373332383466363264663430656663323334
+38353939636530386366366363323163656131343861663238336161633536366134653331356535
+61623530316634616564393439313565353366643561613666663335373033303662333631333534
+33663030656163323438643963336232366331306232646533393062323535303037363035303236
+35306362653438656339326664616339663336653262303332303866333939306431306561626366
+62643362303331666134623136336161306366313565383666303162646665323631623564656239
+32646166616637343430623665613162313632613032643834333237626535393539333234363731
+36383731633636313734626366376265363064376565383039633733643832656233333036396462
+66646234353362336337373130663162626633316264616133613362653033343665373031346138
+61666661336664646163353665633266353864613366396162623162616532353763303366356634
+31373364653231313461336132656135626131303238623462373062316662383464663030393665
+37316262333362333164393864636335313634356238636630333435373838353964386431376534
+36386263316563633236326462643730326263306263623666306138643862633065613135303533
+63383663373432383537363765333138333165366339633666643736646439303038306565373132
+32663361393136623930343033363035613038316265656536373433356533393063643636383431
+33646465333565396538383962663061656531643737613331396264393035316339366134656565
+38653562393464633438643032303639323536346631623438623130336434663762343065343530
+34623730623964623264626632373934613631633033373662346432626264386336646664333334
+33663465633630393038393564613839306361336531663461363865343736653532363837333664
+64323561323537323438376666323837386237623465636162326462343466613339636439333263
+37366665636531323633393939656461343839623562366362353564363734396135363462333132
+32303036663830323930616139393936613333643237356537323965626566363862636135643437
+35643664633338313138626463393363656565636638356236373336373937323439663661653136
+30656233633064363163623233653331343635623035316563343934313061623437646561363937
+34336538363033383933356264376138623330313437633435343064363231346331316439626563
+31613534326665643061303838353436396536303533383466303237633839313163653763323231
+6661
diff --git a/roles/sshd/tasks/certs.yml b/roles/sshd/tasks/certs.yml
index 95cf345..5c58399 100644
--- a/roles/sshd/tasks/certs.yml
+++ b/roles/sshd/tasks/certs.yml
@@ -21,3 +21,11 @@
     mode: '0600'
     owner: root
     group: root
+
+- name: copy user_ca.pub
+  copy:
+    src: user_ca.pub
+    dest: "/etc/ssh/user_ca.pub"
+    mode: '0644'
+    owner: root
+    group: root
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index c1030a9..4696871 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -121,3 +121,4 @@ Subsystem	sftp	/usr/lib/ssh/sftp-server
 #	ForceCommand cvs server
 
 HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+TrustedUserCAKeys /etc/ssh/user_ca.pub