-
Notifications
You must be signed in to change notification settings - Fork 72
sample systemd unit file #34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
cannadayr
wants to merge
1
commit into
cloudtools:master
Choose a base branch
from
cannadayr:master
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Tested on debian jessie | ||
|
|
||
| # Setting up: | ||
| # cp examples/startup/ssh-cert-authority.service ~/.config/systemd/user/ssh-cert-authority.service | ||
| # systemctl --user enable ssh-cert-authority | ||
| # systemctl --user start ssh-cert-authority | ||
|
|
||
| # Note: if you get a DBUS warning & are using sudo use '-E' to preserve environment | ||
|
|
||
| [Unit] | ||
|
|
||
| Description=ssh-cert-authority service | ||
| After=network.target | ||
|
|
||
| [Service] | ||
| Type=simple | ||
| Environment=SSH_AUTH_SOCK=%t/ssh-cert-authority.socket | ||
|
|
||
| # substitute your own signing key for id_ecdsa | ||
| # substitute your own GOPATH (or add to environment) | ||
| ExecStart=/bin/bash -c "\ | ||
| /usr/bin/ssh-agent -a $SSH_AUTH_SOCK; \ | ||
| /usr/bin/ssh-add ~/.ssh/id_ecdsa; \ | ||
| /usr/bin/ssh-agent $GOPATH/bin/ssh-cert-authority runserver" | ||
|
|
||
| Restart=always | ||
| RestartSec=3 | ||
|
|
||
| [Install] | ||
| WantedBy=default.target | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey thank you for the patch here. I think there may be a more efficient way to do what you're doing here for the add. Did you see the PrivateKeyFile configuration option for signcertd? With that option you can run this like I do in the upstart example that's in here:
/usr/bin/ssh-agent $GOPATH/bin/ssh-cert-authority runserver
When run that way ssh-agent starts, sets the SSH_AUTH_SOCK to be the path to a new agent socket and then execs ssh-cert-authority. When combined with the PrivateKeyFile config option the ssh-cert-authority daemon will automatically load the private key.
You can take this even further with the encrypt-key subcommand of ssh-cert-authority if you're on Amazon. I tried to write a step by step here: https://github.com/cloudtools/ssh-cert-authority/blob/master/README.rst#encrypting-a-ca-key-using-amazons-kms
The encrypt-key suggestion won't affect this patch, decryption of the key is transparent when it's in place, that's just a runtime suggestion for you.
Moving forward with this pull request I'll request that you change to leverage PrivateKeyFile and assume that the caller is either using that or doing ssh-add themselves after the daemon starts. This is mostly because I don't want an example in the tree that suggests a user should have an unencrypted certificate authority anywhere.
Thanks again for taking the time to put this together and send the request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup, makes sense. I'll fix this up to get it more in line w/ prj.