Skip to content

spiffe/spiffe-step-ssh

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

spiffe-step-ssh

Apache 2.0 License Development Phase

Issue SSH host certificates using SPIFFE

Client Dependencies

A working spire-agent bound to a spire-server. See helm-chart install instructions or general quickstart

Also, the step binary needs to be installed. Install Instructions

Server

There is a helm chart available here

Server Config

Each node needs its own entry, under the /sshd/ space.

Example:

spire-server entry create \
  -parentID spiffe://example.com/spire/agent/http_challenge/test.example.com \
  -spiffeID spiffe://example.com/sshd/test.example.com \
  -selector systemd:id:spiffe-step-ssh@main.service

Install

make install

Diagram

diagram

High Availability

There are configurations that can get you to various levels of High Availability, upto and including running two complete spiffe trust domains, two spiffe-step-ssh servers, and two spiffe-step-ssh clients.

Add into /etc/spiffe/step-ssh/a.conf

SPIFFE_STEP_SSH_URL=https://spiffe-step-ssh-a.example.org
SPIFFE_STEP_SSH_FETCHCA_URL=https://spiffe-step-ssh-fetchca-a.example.org

Add into /etc/spiffe/step-ssh/b.conf

SPIFFE_STEP_SSH_URL=https://spiffe-step-ssh-b.example.org
SPIFFE_STEP_SSH_FETCHCA_URL=https://spiffe-step-ssh-fetchca-b.example.org

Enable and Start the clients

systemctl enable spiffe-step-ssh@a spiffe-step-ssh@b
systemctl start spiffe-step-ssh@a spiffe-step-ssh@b

Add both Step CA ssh signatures into known_hosts on your ssh clients.