diff --git a/roles/user/ssh/files/vssh b/roles/user/ssh/files/vssh new file mode 100755 index 0000000..ddd8177 --- /dev/null +++ b/roles/user/ssh/files/vssh @@ -0,0 +1,31 @@ +#!/bin/bash + +# create a temporary directory for an SSH key +SSH_KEY_DIR=$(mktemp -d) + +# if no path to the key exists, create a temporary one +if [[ $SSH_KEY_PATH == "" ]]; then + SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519 + ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH +fi + +vault ssh \ + -no-exec \ + -field=signed_key \ + -mode=ca \ + -role="$VSSH_ROLE" \ + -valid-principals="$VSSH_PRINCIPALS" \ + -public-key-path=$SSH_KEY_PATH.pub \ + -private-key-path=$SSH_KEY_PATH \ + localhost > $SSH_KEY_PATH.pub.signed +chmod 400 $SSH_KEY_PATH.pub.signed + +# [DEBUG] +ssh-keygen -L -f $SSH_KEY_PATH.pub.signed + +# execute the SSH +ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@ + +# delete the signed key and temporary key if exists +rm -f $SSH_KEY_PATH.pub.signed +rm -rf $SSH_KEY_DIR diff --git a/roles/user/ssh/tasks/main.yml b/roles/user/ssh/tasks/main.yml index 1a29c0c..8ea69dc 100644 --- a/roles/user/ssh/tasks/main.yml +++ b/roles/user/ssh/tasks/main.yml @@ -12,3 +12,9 @@ dest: ~/.ssh/authorized_keys mode: 0600 tags: ssh/authorized-keys + +- name: Install ‹vssh› script + ansible.builtin.copy: + src: files/vssh + dest: ~/.local/bin/vssh + mode: 0640