From 0ba14494945de69b6393fecf1eb9495be23d85be Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Wed, 9 Aug 2023 14:34:45 +0200
Subject: [PATCH] sshd-mf: add RPM for configuring sshd with HC Vault

Signed-off-by: Matej Focko <me@mfocko.xyz>
---
 sshd-mf/90-mf-ca.conf            |  1 +
 sshd-mf/sshd-mf.spec             | 37 ++++++++++++++++++++++++++++++++
 sshd-mf/trusted-user-ca-keys.pem |  1 +
 3 files changed, 39 insertions(+)
 create mode 100644 sshd-mf/90-mf-ca.conf
 create mode 100644 sshd-mf/sshd-mf.spec
 create mode 100644 sshd-mf/trusted-user-ca-keys.pem

diff --git a/sshd-mf/90-mf-ca.conf b/sshd-mf/90-mf-ca.conf
new file mode 100644
index 0000000..3ebd8f9
--- /dev/null
+++ b/sshd-mf/90-mf-ca.conf
@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem
diff --git a/sshd-mf/sshd-mf.spec b/sshd-mf/sshd-mf.spec
new file mode 100644
index 0000000..0dc2217
--- /dev/null
+++ b/sshd-mf/sshd-mf.spec
@@ -0,0 +1,37 @@
+Name:           sshd-mf
+Version:        0.1
+Release:        1%{?dist}
+Summary:        SSHD configuration that allows logging in via signed SSH certificates
+License:        MIT
+Source0:        %{name}-%{version}.tar.gz
+
+%description
+Configuration files for ssh server that allow logging in via signed SSH certificates
+provided by mf's HashiCorp Vault instance.
+
+%prep
+%autosetup
+
+%install
+mkdir -p %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
+
+install -m 600 trusted-user-ca-keys.pem %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/
+install -m 600 90-mf-ca.conf %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/
+
+%post
+if [ -d /run/systemd ]; then
+  systemctl restart sshd
+fi
+
+%postun
+if [ -d /run/systemd ]; then
+  systemctl restart sshd
+fi
+
+%files
+%config %{_sysconfdir}/ssh/sshd_config.d/{trusted-user-ca-keys.pem,90-mf-ca.conf}
+
+%changelog
+* Wed Aug 09 2023 Matej Focko <me@mfocko.xyz> - 0.1-1
+- Initial release
+
diff --git a/sshd-mf/trusted-user-ca-keys.pem b/sshd-mf/trusted-user-ca-keys.pem
new file mode 100644
index 0000000..1f0a75e
--- /dev/null
+++ b/sshd-mf/trusted-user-ca-keys.pem
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3WLRlb8NkXgJ3FLEK+9C2Sd96V6hJiDsnM8dboxScmlLrU7DsMzaTd+vbRDgFODiZ/e0JMEdbZq6XVfTZY5ZLjXeTJ7xlzx4FQy99g2EMgo+/zdRzisPAKLyAGVm7pcAQgUc/MlH7FVjNyflqDlyLq6ZXmjrP3tWBvm15gom8SlvelRer3uPuEG1I1yet2fS2NNggMS2zKEdJS89wAmYtwQLhbw4c6JMT+8mIHy/OHXurf+l13nGdTi09qbOzf3YykelnuIWDNWYIXnqldrcp58tzu8IUE70VZWxc0hV8t1pfQfN3ehi+K5MpnT9UAwMpRxO8kw+ZlDdy6keVtXiBJPEPAwYEbtDrFXWRbnq4eNndQt2FCXNz4JIPJBMME++0OU0gMQxyrLYsg7a6tkxViyvWaatntdkIFPTxoIjVVJxHHA0V+Pq9+6JpZmvm6NjHvR98Q7IzEqBPqPyguQgMEV0Ef6BR4ZwQ/9D8eYfjVaeviKTbBPDA/gy/eMP80os/4RhpyUpX6bsa0TDzXWlD7bFKyPoTTeV2VetyrNg15w2e0H3bO13jt90K9PUzCn0aYYwAUD5kvwEIX7SUTWYXI2BVfEh2Z9kEOVVpCRxzrMZqfdLJRWY6r0Ggtn8HozBMCSMJc72KKS69hPiXVgFHXiBvX7+anrantDzzPNsGTw==