Add spiffe-step-ssh scripts

examples/spiffe-step-ssh/Makefile

@@ -0,0 +1,11 @@
+default:
+	@echo Targets:
+	@echo "  install"
+
+install:
+	mkdir -p $(DESTDIR)/etc/systemd/system
+	mkdir -p $(DESTDIR)/usr/libexec/spiffe-step-ssh
+	install conf/spiffe-step-ssh.conf $(DESTDIR)/etc
+	install conf/helper.conf $(DESTDIR)/usr/libexec/spiffe-step-ssh
+	install scripts/update.sh  $(DESTDIR)/usr/libexec/spiffe-step-ssh
+	install systemd/spiffe-step-ssh.service $(DESTDIR)/etc/systemd/system

examples/spiffe-step-ssh/conf/10-spiffe-step-ssh.conf

@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/usr/libexec/spiffe-step-ssh/reset.sh

examples/spiffe-step-ssh/conf/spiffe-step-ssh.conf

@@ -0,0 +1,9 @@
+SPIFFE_TRUST_DOMAIN=""
+
+SPIRE_AGENT_ADDRESS="/var/run/spire/agent/sockets/main/public/api.sock"
+
+# DEFAULT https://spire-step-ssh-fetchca.${SPIFFE_TRUST_DOMAIN}
+SPIFFE_STEP_SSH_FETCHCA_URL=""
+
+# DEFAULT https://step-ssh.${SPIFFE_TRUST_DOMAIN}
+SPIFFE_STEP_SSH_URL=""

examples/spiffe-step-ssh/scripts/demo.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+ARCH="$(uname -m | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)"
+
+# Install deps from prebuilt binaries and scripts
+cd /tmp
+curl -L -o helper.tgz https://github.com/spiffe/spiffe-helper/releases/download/v0.8.0/spiffe-helper-v0.8.0.tar.gz
+tar -xvf helper.tgz
+mv spiffe-helper /bin
+curl -L -o spire.tgz "https://github.com/spiffe/spire/releases/download/v1.11.0/spire-1.11.0-linux-${ARCH}-musl.tar.gz"
+tar -xvf spire.tgz
+mv spire-*/bin/spire-agent /bin
+curl -L -o step.tgz "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.27.4/step_linux_0.27.4_${ARCH}.tar.gz"
+tar -xvf step.tgz
+mv step*/bin/step /bin
+curl -L -o /etc/systemd/system/spire-agent.target https://raw.githubusercontent.com/spiffe/spire-examples/refs/heads/main/examples/systemd/system/spire-agent.target
+curl -L -o /etc/systemd/system/spire-agent@.service https://raw.githubusercontent.com/spiffe/spire-examples/refs/heads/main/examples/systemd/system/spire-agent@.service
+curl -L -o /etc/systemd/system/spire.target https://raw.githubusercontent.com/spiffe/spire-examples/refs/heads/main/examples/systemd/system/spire.target

examples/spiffe-step-ssh/scripts/reset.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+if [ ! -d /var/run/spiffe-step-ssh ]; then
+	rm -f /etc/ssh/sshd_config.d/50-spiffe-step-ssh.conf
+fi

examples/spiffe-step-ssh/scripts/update.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+SPIFFE_STEP_SSH_INSTANCE="${SPIFFE_STEP_SSH_INSTANCE:=main}"
+
+RUNDIR="/var/run/spiffe/step-ssh/${SPIFFE_STEP_SSH_INSTANCE}"
+
+if [[ "${SPIFFE_TRUST_DOMAIN}" == "" ]]; then
+	ENTRIES="$(openssl x509 -in $RUNDIR/spiffe-ca.pem -noout -ext subjectAltName | grep '[ ]*URI:spiffe://' | wc -l)"
+	if [[ $ENTRIES -eq 1 ]]; then
+		SPIFFE_TRUST_DOMAIN="$(openssl x509 -in $RUNDIR/spiffe-ca.pem -noout -ext subjectAltName | grep '[ ]*URI:spiffe://' | sed 's^[ ]*URI:spiffe://^^')"
+	fi
+fi
+
+[[ "${SPIFFE_TRUST_DOMAIN}" == "" ]] && echo You must configure SPIFFE_TRUST_DOMAIN && exit
+
+echo "TrustDomain: $SPIFFE_TRUST_DOMAIN"
+
+# Setup Defaults
+INSTANCE_SUFFIX="-${SPIFFE_STEP_SSH_INSTANCE}"
+if [[ "${SPIFFE_STEP_SSH_INSTANCE}" == "main" ]]; then
+	INSTANCE_SUFFIX=""
+fi
+SPIFFE_STEP_SSH_URL="${SPIFFE_STEP_SSH_URL:=https://spiffe-step-ssh${INSTANCE_SUFFIX}.${SPIFFE_TRUST_DOMAIN}}"
+SPIFFE_STEP_SSH_FETCHCA_URL="${SPIFFE_STEP_SSH_FETCHCA_URL:=https://spiffe-step-ssh-fetchca${INSTANCE_SUFFIX}.${SPIFFE_TRUST_DOMAIN}}"
+
+# FIXME If *_URL doesn't start with HTTPS://, add it to make things easier to use.
+
+update-certs() {(
+        # Get CA
+        echo Fetching CA from "${SPIFFE_STEP_SSH_FETCHCA_URL}"
+        curl -f -s "${SPIFFE_STEP_SSH_FETCHCA_URL}" --cacert "${RUNDIR}/spiffe-ca.pem" -o "${RUNDIR}/step-ca.pem" || exit 1
+        s=$(wc -c "${RUNDIR}/step-ca.pem"  | awk '{print $1}')
+        if [[ $s -eq 0 ]]; then
+                echo Failed to get step-ca.
+                exit 1
+        fi
+
+        # Generate keys if they dont exist
+        [ ! -f "${RUNDIR}/ssh_host_rsa_key" ] && ssh-keygen -q -N "" -t rsa -b 4096 -f "${RUNDIR}/ssh_host_rsa_key"
+        [ ! -f "${RUNDIR}/ssh_host_ecdsa_key" ] && ssh-keygen -q -N "" -t ecdsa -f "${RUNDIR}/ssh_host_ecdsa_key"
+        [ ! -f "${RUNDIR}/ssh_host_ed25519_key" ] && ssh-keygen -q -N "" -t ed25519 -f "${RUNDIR}/ssh_host_ed25519_key"
+
+        openssl ec -in "${RUNDIR}/tls.key" -outform PEM -out "${RUNDIR}/tls.pem" || exit 1
+
+        CERTNAME="$(openssl x509 -in "${RUNDIR}/tls.crt" -noout -subject | sed 's/^.*CN = //' | sed 's/,.*//')"
+        echo "CN: $CERTNAME"
+
+        # Build signed certs
+        step ssh certificate -root="${RUNDIR}/step-ca.pem" --ca-url="${SPIFFE_STEP_SSH_URL}" "$CERTNAME" "${RUNDIR}/ssh_host_rsa_key.pub" --host --sign --x5c-cert="${RUNDIR}/tls.crt" --x5c-key="${RUNDIR}/tls.pem" --force || exit 1
+        step ssh certificate -root="${RUNDIR}/step-ca.pem" --ca-url="${SPIFFE_STEP_SSH_URL}" "$CERTNAME" "${RUNDIR}/ssh_host_ecdsa_key.pub" --host --sign --x5c-cert="${RUNDIR}/tls.crt" --x5c-key="${RUNDIR}/tls.pem" --force || exit 1
+        step ssh certificate -root="${RUNDIR}/step-ca.pem" --ca-url="${SPIFFE_STEP_SSH_URL}" "$CERTNAME" "${RUNDIR}/ssh_host_ed25519_key.pub" --host --sign --x5c-cert="${RUNDIR}/tls.crt" --x5c-key="${RUNDIR}/tls.pem" --force || exit 1
+
+        # Configure ssh if it isn't already
+        mkdir -p /etc/ssh/sshd_config.d
+	tmpfile=$(mktemp /etc/ssh/sshd_config.d/.spiffe-step-ssh.XXXXXX)
+        cat > "$tmpfile" <<FEOF
+HostKey ${RUNDIR}/ssh_host_rsa_key
+HostKey ${RUNDIR}/ssh_host_ecdsa_key
+HostKey ${RUNDIR}/ssh_host_ed25519_key
+HostCertificate ${RUNDIR}/ssh_host_rsa_key-cert.pub
+HostCertificate ${RUNDIR}/ssh_host_ecdsa_key-cert.pub
+HostCertificate ${RUNDIR}/ssh_host_ed25519_key-cert.pub
+FEOF
+	mv "$tmpfile" /etc/ssh/sshd_config.d/50-spiffe-step-ssh.conf || exit 1
+        grep 'Include /etc/ssh/sshd_config.d/*.conf' /etc/ssh/sshd_config > /dev/null || echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config
+
+        chcon system_u:object_r:sshd_key_t:s0 "${RUNDIR}"/ssh_host* || true
+
+        # Apply
+        systemctl reload sshd
+	)
+	return $?
+	}
+
+while true; do
+        update-certs && break
+        sleep 1
+done

examples/spiffe-step-ssh/systemd/spiffe-step-ssh-cleanup.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=SPIFFE step-ca SSH Cleanup
+DefaultDependencies=no
+Before=shutdown.target reboot.target halt.target
+
+[Service]
+ExecStart=/usr/libexec/spiffe-step-ssh/reset.sh
+Type=oneshot
+
+[Install]
+WantedBy=shutdown.target

examples/spiffe-step-ssh/systemd/spiffe-step-ssh@.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=SPIFFE step-ca SSH Helper %i
+After=network-online.target local-fs.target time-sync.target
+Wants=network-online.target local-fs.target time-sync.target spire-agent.target
+
+[Service]
+Environment="SPIRE_AGENT_ADDRESS=/var/run/spire/agent/sockets/%i/public/api.sock"
+Environment="SPIFFE_STEP_SSH_INSTANCE=%i"
+EnvironmentFile=-/etc/spiffe/step-ssh/%i.conf
+ExecStart=spiffe-helper -config /var/run/spiffe/step-ssh/%i/helper.conf
+ExecStartPre=mkdir -p /var/run/spiffe/step-ssh/%i
+ExecStartPre=chmod 700 /var/run/spiffe/step-ssh/%i
+ExecStartPre=/bin/bash -c "echo Y21kID0gImJhc2giCmNtZF9hcmdzID0gIi91c3IvbGliZXhlYy9zcGlmZmUtc3RlcC1zc2gvdXBkYXRlLnNoIgpjZXJ0X2RpciA9ICJAQ0RAIgpzdmlkX2ZpbGVfbmFtZSA9ICJ0bHMuY3J0IgpzdmlkX2tleV9maWxlX25hbWUgPSAidGxzLmtleSIKc3ZpZF9idW5kbGVfZmlsZV9uYW1lID0gInNwaWZmZS1jYS5wZW0iCg== | base64 -d > /var/run/spiffe/step-ssh/%i/helper.conf"
+ExecStartPre=/bin/sed -i "s^@CD@^/var/run/spiffe/step-ssh/%i^" /var/run/spiffe/step-ssh/%i/helper.conf
+
+[Install]
+WantedBy=multi-user.target