/sshsigner

Check README

Primary LanguagePython

SSH Signer

Summary

The goal of this applicaiton is to make an easy to deploy CA Signed SSH key environment. Restricting the signing auhtority to key organization individuals aka Key Custodians. By using the YubiHSM as the backbone of this architecture you not only have a more secure storage facility but also visibility to who is signing and when they are signing ssh keys.


👉 If you want to use this with a YubiHSM that is NOT managed by HCM you must build the template using the public key your installation creates. You must also format your Template label name with the ID of the CA object. In the example below that is 10. Example: SSH Template-10


Setup Page Image

Setup Page Image

Install

Requirements

  • yubihsm-connector
  • Linux OS
  • root install 1

NOTE: You need to update tag version

https://github.com/trebortech/sshsigner/tags

pip3 install https://github.com/trebortech/sshsigner/archive/refs/tags/YY.MM.DD.BB.tar.gz

Please update with the correct tag version you want to pull

Once installed

tt-sshsigner

-d = data directory. Defaults to /opt/sshsigner

My Random Notes

  • UDEV script (yubihsm.rules) will trigger the SystemD service (yubihsm-start.service). SystemD service will execute the hsminsert.sh script.
On YubiHSM insert 
%%{init: {
  'theme':'base',
  'themeVariables': {
      'tertiaryColor': '#cccccc',
      'mainBkg': '#e3dada',
      'actorTextColor': '#b1b1b5',
      'actorBkg': '#0c8796',
      'signalColor': '#0c8796',
      'signalTextColor': '#b1b1b5',
      'sequenceNumberColor': '#b1b1b5'
      }
    }
  }%%


sequenceDiagram
  autonumber
  participant HSM
  participant UDEV
  Note over UDEV: /etc/udev/rules.d/yubihsm.rules
  participant SystemD
  Note over SystemD: /etc/systemd/system/yubihsm-start.service
  participant Script
  Note over Script: /usr/local/bin/hsminsert.sh

  HSM->>UDEV: Inserted
  UDEV->>SystemD: YubiHSM was inserted  
  SystemD->>Script: Run Script
  Script->>Script: Start service for inserted YubiHSM
Loading
  • My test RPi has an oled screen. The IP address will show of the device. Script located at application/xscripts/oled.py

TO RUN DIRECT

python3 app.py

TODO

  • Installation README with requirements
  • Installation scripts
  • UDEV script to configure YubiHSM on insert
  • Create "timestamp" cert
  • Create Login Page
  • Create Sign Key page
  • Create walk through video
  • Create systemd script for oled and app
  • Update this README file

Footnotes

  1. lsusb requires root access. Also, we are bonding to port 443 but we should be able to work around that. I'm still working on least priv user.