This repository was archived by the owner on Oct 10, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathhost-bootstrap.sh
More file actions
31 lines (25 loc) · 1.48 KB
/
host-bootstrap.sh
File metadata and controls
31 lines (25 loc) · 1.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/bin/bash
# Install `step`
curl -LO https://github.com/smallstep/cli/releases/download/v0.12.0/step-cli_0.12.0_amd64.deb
sudo dpkg -i step-cli_0.12.0_amd64.deb
# Configure `step` to connect to & trust our `step-ca`
step ca bootstrap --ca-url ec2-54-167-89-236.compute-1.amazonaws.com \
--fingerprint 34d7a0c1d8ffc3e52cd7bde990f027622afb957c70b8e0e10fd482db47adc7c5
# Install the CA cert for validating user certificates (from ~/.ssh/certs/ssh_user_key.pub` on the CA).
echo "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+28xkD7pKCo5ltgUaebEngnNJZRzr+iN/sxnwSEFL0AFExpzE0FMG2W1PIh8WaHJciSvJaMp3/u00/ZvDYx9U=" > $(step path)/certs/ssh_user_key.pub
# Get an SSH host certificate
export HOSTNAME="$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)"
export TOKEN=$(step ca token $HOSTNAME --ssh --host --provisioner "mike@example.com" --password-file <(echo "pass"))
sudo step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub --host --sign --provisioner "mike@example.com" --token $TOKEN
# Configure `sshd`
sudo tee -a /etc/ssh/sshd_config > /dev/null <<EOF
# SSH CA Configuration
# The path to the CA public key for authenticatin user certificates
TrustedUserCAKeys $(step path)/certs/ssh_user_key.pub
# Path to the private key and certificate
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
EOF
sudo service ssh restart
# Add user `mike`
sudo adduser --quiet --disabled-password --gecos '' mike