Issue SSH host certificates using SPIFFE
A working spire-agent bound to a spire-server. See helm-chart install instructions or general quickstart
Also, the step binary needs to be installed. Install Instructions
There is a helm chart available here
Each node needs its own entry, under the /sshd/ space.
Example:
spire-server entry create \
-parentID spiffe://example.com/spire/agent/http_challenge/test.example.com \
-spiffeID spiffe://example.com/sshd/test.example.com \
-selector systemd:id:spiffe-step-ssh@main.service
make install
There are configurations that can get you to various levels of High Availability, upto and including running two complete spiffe trust domains, two spiffe-step-ssh servers, and two spiffe-step-ssh clients.
Add into /etc/spiffe/step-ssh/a.conf
SPIFFE_STEP_SSH_URL=https://spiffe-step-ssh-a.example.org
SPIFFE_STEP_SSH_FETCHCA_URL=https://spiffe-step-ssh-fetchca-a.example.org
Add into /etc/spiffe/step-ssh/b.conf
SPIFFE_STEP_SSH_URL=https://spiffe-step-ssh-b.example.org
SPIFFE_STEP_SSH_FETCHCA_URL=https://spiffe-step-ssh-fetchca-b.example.org
Enable and Start the clients
systemctl enable spiffe-step-ssh@a spiffe-step-ssh@b
systemctl start spiffe-step-ssh@a spiffe-step-ssh@b
Add both Step CA ssh signatures into known_hosts
on your ssh clients.