From: Matt Birkholz Date: Tue, 16 Dec 2025 21:57:13 +0000 (-0700) Subject: Replace Secret/ssh_front/ with private/front_ed25519_key.pub. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=f7388919e5dbf107692d53e4f09d88316f99f81a;p=Institute.git Replace Secret/ssh_front/ with private/front_ed25519_key.pub. Treating Front's SSH host key like a WireGuard™ keypair. The secret key never leaves the machine. Though =Secret/ssh_front/= is "replaced" by one pubkey, it contained 3 useful example/test SSH host keypairs. These were moved to =private/front_ssh/=, and the one pubkey symlinked to the corresponding key in this directory. --- diff --git a/README.org b/README.org index e1b2fb8..63521cd 100644 --- a/README.org +++ b/README.org @@ -418,10 +418,6 @@ institute's SSH keys: Administrator. - [[file:Secret/ssh_monkey/][=Secret/ssh_monkey/=]] :: The key pair used by Monkey to update the website on Front (and other unprivileged tasks). - - [[file:Secret/ssh_front/][=Secret/ssh_front/=]] :: The host key pair used by Front to - authenticate itself. The automatically generated key pair is - /not/ used. (Thus Core's configuration does not depend on - Front's.) The institute uses a couple X.509 certificates to authenticate servers. They are created by the EasyRSA Certificate Authority stored @@ -876,25 +872,6 @@ file, copied it to the droplet, and installed it as the : notebook$ rm admin_keys : notebook$ -The Ansible configuration expects certain host keys on the new front. -The administrator should install them now, and deal with the machine's -change of SSH identity. The following commands copied the host keys -in =Secret/ssh_front/= to the droplet and restarted the SSH server. - -: notebook$ ( cd Secret/ssh_front/etc/ssh/; -: notebook_ scp ssh_host_* sysadm@159.65.75.60: ) -: notebook$ ssh sysadm@159.65.75.60 -: sysadm@ubuntu$ chmod 600 ssh_host_* -: sysadm@ubuntu$ chmod 644 ssh_host_*.pub -: sysadm@ubuntu$ sudo cp -b ssh_host_* /etc/ssh/ -: sysadm@ubuntu$ sudo systemctl restart ssh -: sysadm@ubuntu$ logout -: notebook$ ssh-keygen -f ~/.ssh/known_hosts -R 159.65.75.60 - -The last command removed the old host key from the administrator's -=known_hosts= file. The next few commands served to test -password-less login as well as the privilege escalation command -~sudo~. The Droplet needed a couple additional software packages immediately. The ~wireguard~ package was needed to generate the Droplet's private @@ -932,6 +909,12 @@ were indeed denied. : notebook$ ssh root@159.65.75.60 : root@159.65.75.60: Permission denied (publickey). : notebook$ +Finally, the new machine's ssh public host is copied to +=private/front_ed25519_key.pub=. + +: notebook$ scp sysadm@$H:/etc/ssh/ssh_host_ed25519_key.pub \ +: notebook_ private/front_ed25519_key.pub +: notebook$ At this point the droplet was ready for configuration by Ansible. Later, provisioned with all of Front's services /and/ tested, the @@ -1424,42 +1407,6 @@ these groups speeds up debugging. groups: root,adm #+END_SRC -** Configure SSH - -The SSH service on Front needs to be known to Monkey. The following -tasks ensure this by replacing the automatically generated keys with -those stored in [[file:Secret/ssh_front/etc/ssh/][=Secret/ssh_front/etc/ssh/=]] and restarting the server. - -#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml - -- name: Install SSH host keys. - become: yes - copy: - src: ../Secret/ssh_front/etc/ssh/{{ item.name }} - dest: /etc/ssh/{{ item.name }} - mode: "{{ item.mode }}" - loop: - - { name: ssh_host_ecdsa_key, mode: "u=rw,g=,o=" } - - { name: ssh_host_ecdsa_key.pub, mode: "u=rw,g=r,o=r" } - - { name: ssh_host_ed25519_key, mode: "u=rw,g=,o=" } - - { name: ssh_host_ed25519_key.pub, mode: "u=rw,g=r,o=r" } - - { name: ssh_host_rsa_key, mode: "u=rw,g=,o=" } - - { name: ssh_host_rsa_key.pub, mode: "u=rw,g=r,o=r" } - notify: Reload SSH server. -#+END_SRC - -#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml :mkdirp yes ---- -- name: Reload SSH server. - become: yes - systemd: - service: ssh - state: reloaded - tags: actualizer -#+END_SRC - ** Configure Monkey The small institute runs cron jobs and web scripts that generate @@ -1720,8 +1667,8 @@ start and enable the service. #+END_SRC #+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml - +#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml :mkdirp yes +--- - name: Restart Postfix. become: yes systemd: @@ -2921,11 +2868,9 @@ described in [[apache2-core][*Configure Apache2]]). - name: Configure Monkey SSH known hosts. become: yes vars: - pubkeypath: ../Secret/ssh_front/etc/ssh - pubkeyfile: "{{ pubkeypath }}/ssh_host_ecdsa_key.pub" - pubkey: "{{ lookup('file', pubkeyfile) }}" + pubkey: "{{ lookup('file', '../private/front_ed25519_key.pub') }}" lineinfile: - regexp: "^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 " + regexp: "^{{ domain_name }},{{ front_addr }} ssh-ed25519 " line: "{{ domain_name }},{{ front_addr }} {{ pubkey }}" path: /home/monkey/.ssh/known_hosts create: yes @@ -6087,10 +6032,6 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") { mysystem "echo 'HashKnownHosts no' >Secret/ssh_monkey/config"; mysystem ("ssh-keygen -q -t rsa -C monkey\@core", "-N '' -f Secret/ssh_monkey/id_rsa"); - - mysystem "mkdir Secret/ssh_front"; - chmod 0700, "Secret/ssh_front"; - mysystem "ssh-keygen -A -f Secret/ssh_front -C $dom"; exit; } #+END_SRC @@ -7239,10 +7180,9 @@ networks. If ~USER@SERVER~ is such an account, the script would be copied and executed thusly: : notebook$ scp private/test-front-prep USER@SERVER: -: notebook$ scp -r Secret/ssh_front/ USER@SERVER: +: notebook$ scp -r private/front_ssh/ USER@SERVER: : sysadm@front$ scp USER@SERVER:test-front-prep ./ -: sysadm@front$ scp -r USER@SERVER:ssh_front/ ./ : sysadm@front$ ./test-front-prep The script starts by installing additional software packages. The @@ -7321,19 +7261,16 @@ iface enp0s8 inet static EOF #+END_SRC -Ansible expects ~front~ to use the SSH host keys in -=Secret/ssh_front/=, so it is prepared with these keys in advance. -(If Ansible installed them, ~front~ would change identities while -Ansible was configuring it. Ansible would lose subsequent access -until the administrator's =~/.ssh/known_hosts= was updated!) +Ansible expects =private/front_ed25519_key.pub= to be the SSH host key +in use on ~front~, so it is prepared with a set of test keys in +advance. Doing so now avoids ~front~ changing identities while +Ansible is configuring it (if Ansible were to install the test +identities). #+CAPTION: [[file:private/test-front-prep][=private/test-front-prep=]] #+BEGIN_SRC sh :tangle private/test-front-prep -( cd ssh_front/etc/ssh/ - chmod 600 ssh_host_* - chmod 644 ssh_host_*.pub - sudo cp -b ssh_host_* /etc/ssh/ ) +( cd front_ssh/; sudo cp -b ssh_host_* /etc/ssh/ ) #+END_SRC With the preparatory script successfully executed, ~front~ is shut diff --git a/inst b/inst index 7d44a6d..4f6b5c4 100755 --- a/inst +++ b/inst @@ -110,10 +110,6 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") { mysystem "echo 'HashKnownHosts no' >Secret/ssh_monkey/config"; mysystem ("ssh-keygen -q -t rsa -C monkey\@core", "-N '' -f Secret/ssh_monkey/id_rsa"); - - mysystem "mkdir Secret/ssh_front"; - chmod 0700, "Secret/ssh_front"; - mysystem "ssh-keygen -A -f Secret/ssh_front -C $dom"; exit; } diff --git a/private/front_ed25519_key.pub b/private/front_ed25519_key.pub new file mode 120000 index 0000000..c5a6af1 --- /dev/null +++ b/private/front_ed25519_key.pub @@ -0,0 +1 @@ +front_ssh/ssh_host_ed25519_key.pub \ No newline at end of file diff --git a/Secret/ssh_front/etc/ssh/ssh_host_ecdsa_key b/private/front_ssh/ssh_host_ecdsa_key similarity index 100% rename from Secret/ssh_front/etc/ssh/ssh_host_ecdsa_key rename to private/front_ssh/ssh_host_ecdsa_key diff --git a/Secret/ssh_front/etc/ssh/ssh_host_ecdsa_key.pub b/private/front_ssh/ssh_host_ecdsa_key.pub similarity index 100% rename from Secret/ssh_front/etc/ssh/ssh_host_ecdsa_key.pub rename to private/front_ssh/ssh_host_ecdsa_key.pub diff --git a/Secret/ssh_front/etc/ssh/ssh_host_ed25519_key b/private/front_ssh/ssh_host_ed25519_key similarity index 100% rename from Secret/ssh_front/etc/ssh/ssh_host_ed25519_key rename to private/front_ssh/ssh_host_ed25519_key diff --git a/Secret/ssh_front/etc/ssh/ssh_host_ed25519_key.pub b/private/front_ssh/ssh_host_ed25519_key.pub similarity index 100% rename from Secret/ssh_front/etc/ssh/ssh_host_ed25519_key.pub rename to private/front_ssh/ssh_host_ed25519_key.pub diff --git a/Secret/ssh_front/etc/ssh/ssh_host_rsa_key b/private/front_ssh/ssh_host_rsa_key similarity index 100% rename from Secret/ssh_front/etc/ssh/ssh_host_rsa_key rename to private/front_ssh/ssh_host_rsa_key diff --git a/Secret/ssh_front/etc/ssh/ssh_host_rsa_key.pub b/private/front_ssh/ssh_host_rsa_key.pub similarity index 100% rename from Secret/ssh_front/etc/ssh/ssh_host_rsa_key.pub rename to private/front_ssh/ssh_host_rsa_key.pub diff --git a/private/test-front-prep b/private/test-front-prep index ab3ca38..69d1cb4 100755 --- a/private/test-front-prep +++ b/private/test-front-prep @@ -48,7 +48,4 @@ iface enp0s8 inet static address 192.168.58.3/24 EOF -( cd ssh_front/etc/ssh/ - chmod 600 ssh_host_* - chmod 644 ssh_host_*.pub - sudo cp -b ssh_host_* /etc/ssh/ ) +( cd front_ssh/; sudo cp -b ssh_host_* /etc/ssh/ ) diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 125b43b..90e0b8a 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -237,11 +237,9 @@ - name: Configure Monkey SSH known hosts. become: yes vars: - pubkeypath: ../Secret/ssh_front/etc/ssh - pubkeyfile: "{{ pubkeypath }}/ssh_host_ecdsa_key.pub" - pubkey: "{{ lookup('file', pubkeyfile) }}" + pubkey: "{{ lookup('file', '../private/front_ed25519_key.pub') }}" lineinfile: - regexp: "^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 " + regexp: "^{{ domain_name }},{{ front_addr }} ssh-ed25519 " line: "{{ domain_name }},{{ front_addr }} {{ pubkey }}" path: /home/monkey/.ssh/known_hosts create: yes diff --git a/roles_t/front/handlers/main.yml b/roles_t/front/handlers/main.yml index 21f962a..3b46b63 100644 --- a/roles_t/front/handlers/main.yml +++ b/roles_t/front/handlers/main.yml @@ -1,11 +1,4 @@ --- -- name: Reload SSH server. - become: yes - systemd: - service: ssh - state: reloaded - tags: actualizer - - name: Restart Postfix. become: yes systemd: diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index 5c73f96..24809dd 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -31,21 +31,6 @@ append: yes groups: root,adm -- name: Install SSH host keys. - become: yes - copy: - src: ../Secret/ssh_front/etc/ssh/{{ item.name }} - dest: /etc/ssh/{{ item.name }} - mode: "{{ item.mode }}" - loop: - - { name: ssh_host_ecdsa_key, mode: "u=rw,g=,o=" } - - { name: ssh_host_ecdsa_key.pub, mode: "u=rw,g=r,o=r" } - - { name: ssh_host_ed25519_key, mode: "u=rw,g=,o=" } - - { name: ssh_host_ed25519_key.pub, mode: "u=rw,g=r,o=r" } - - { name: ssh_host_rsa_key, mode: "u=rw,g=,o=" } - - { name: ssh_host_rsa_key.pub, mode: "u=rw,g=r,o=r" } - notify: Reload SSH server. - - name: Create monkey. become: yes user: