Last active
March 23, 2021 00:24
-
-
Save a1994sc/73c1bbfb0de42a8146847aa79c7c7b33 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #adding your own user to log in with | |
| export git_user=<user> | |
| export user_name=<user> | |
| adduser $user_name | |
| usermod -a -G adm,dialout,cdrom,floppy,sudo,audio,dip,video,plugdev,netdev,lxd $user_name | |
| mkdir /home/$user_name/.ssh | |
| wget -O - https://github.com/$git_user.keys >> /home/$user_name/.ssh/authorized_keys | |
| chown -R $user_name:$user_name /home/$user_name | |
| sudo apt update && sudo apt upgrade -y | |
| #optional but you might want to delete the "ubuntu" user | |
| sudo deluser --remove-home ubuntu | |
| #removing root ssh access | |
| sudo nano /etc/ssh/sshd_config | |
| ~ ChallengeResponseAuthentication no | |
| ~ PasswordAuthentication no | |
| ~ UsePAM no | |
| + PermitRootLogin no | |
| #(optional) I like to disable asking for password on sudo, I know in production this is bad but for just me working on this I will take the risk. | |
| sudo visudo | |
| + <user> ALL=(ALL) NOPASSWD: ALL | |
| #updating the timeezone. | |
| sudo hostnamectl set-hostname tinyca | |
| sudo timedatectl set-timezone America/New_York | |
| timedatectl | |
| #fire (optional, but fire) | |
| curl -LO https://github.com/13-37-org/infnoise/archive/0.3.1.tar.gz | |
| tar xvzf 0.3.1.tar.gz | |
| cd infnoise-0.3.1/software | |
| sudo apt-get install -y libftdi-dev libusb-dev | |
| make -f Makefile.linux | |
| sudo make -f Makefile.linux install | |
| #verify fire | |
| sudo reboot | |
| sudo systemctl status infnoise | |
| infnoise --debug --no-output | |
| #adding the yubikey support | |
| sudo apt-add-repository ppa:yubico/stable | |
| sudo apt update | |
| sudo apt install -y yubico-piv-tool yubikey-manager | |
| #installing go lang | |
| curl -LO https://golang.org/dl/go1.16.linux-arm64.tar.gz | |
| sudo tar -C /usr/local -xzf go1.16.linux-arm64.tar.gz | |
| nano .profile | |
| + export PATH=$PATH:/usr/local/go/bin | |
| source .profile | |
| #installing step, plus the missing packages that aren't included on ubuntu server for RPi | |
| curl -LO https://github.com/smallstep/certificates/archive/v0.15.5.tar.gz | |
| tar xvzf v0.15.5.tar.gz | |
| cd certificates-0.15.5/ | |
| sudo apt-get install -y libpcsclite-dev gcc make pkg-config | |
| make bootstrap | |
| make build GOFLAGS="" | |
| sudo cp bin/step-ca /usr/local/bin | |
| sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/step-ca | |
| step-ca version | |
| #installing step-ca | |
| curl -LO https://github.com/smallstep/cli/releases/download/v0.15.3/step_linux_0.15.3_arm64.tar.gz | |
| tar xvzf step_linux_0.15.3_arm64.tar.gz | |
| sudo cp step_0.15.3/bin/step /usr/local/bin | |
| sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/step | |
| step version | |
| #storing ca off disk, plus generating the ca | |
| sudo mount /dev/sdb1 /mnt | |
| cd /mnt | |
| sudo mkdir ca | |
| sudo chown <user>:<user> ca | |
| export STEPPATH=/mnt/ca | |
| step ca init --pki --name="Derpy" | |
| #copying the ca's to the yubikey | |
| ykman piv import-certificate 9a /mnt/ca/certs/root_ca.crt | |
| ykman piv import-key 9a /mnt/ca/secrets/root_ca_key | |
| ykman piv import-certificate 9c /mnt/ca/certs/intermediate_ca.crt | |
| ykman piv import-key 9c /mnt/ca/secrets/intermediate_ca_key | |
| sudo cp /mnt/ca/certs/intermediate_ca.crt /mnt/ca/certs/root_ca.crt /root | |
| cd | |
| sudo umount /mnt | |
| #getting the step service going | |
| sudo useradd step | |
| sudo passwd -l step | |
| sudo mkdir /etc/step-ca | |
| export STEPPATH=/etc/step-ca | |
| sudo --preserve-env step ca init --name="Derpy" --dns="tinyca.int,10.2.1.10" --address=":443" --provisioner="<email>" | |
| sudo chown -R <user>:<user> /etc/step-ca | |
| step ca provisioner add acme --type acme | |
| sudo mv /root/root_ca.crt /root/intermediate_ca.crt /etc/step-ca/certs | |
| sudo rm -rf /etc/step-ca/secrets | |
| #having step use the yubikey | |
| sudo nano /etc/step-ca/config/ca.json | |
| - "key": "/etc/step-ca/secrets/intermediate_ca_key", | |
| + "key": "yubikey:slot-id=9c", | |
| + "kms": { | |
| + "type": "yubikey", | |
| + "pin": "123456" | |
| + }, | |
| sudo chown -R step:step /etc/step-ca | |
| sudo -u step step-ca /etc/step-ca/config/ca.json | |
| sudo nano /etc/udev/rules.d/75-yubikey.rules | |
| + ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/407/*", TAG+="systemd", SYMLINK+="yubikey" | |
| + ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/407/*", TAG+="systemd" | |
| sudo udevadm control --reload-rules | |
| sudo nano /etc/systemd/system/step-ca.service | |
| + [Unit] | |
| + Description=step-ca | |
| + BindsTo=dev-yubikey.device | |
| + After=dev-yubikey.device | |
| + | |
| + [Service] | |
| + User=step | |
| + Group=step | |
| + ExecStart=/bin/sh -c '/usr/local/bin/step-ca /etc/step-ca/config/ca.json' | |
| + Type=simple | |
| + Restart=on-failure | |
| + RestartSec=10 | |
| + | |
| + [Install] | |
| + WantedBy=multi-user.target | |
| sudo mkdir /etc/systemd/system/dev-yubikey.device.wants | |
| sudo ln -s /etc/systemd/system/step-ca.service /etc/systemd/system/dev-yubikey.device.wants/ | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable step-ca | |
| sudo nano /etc/ufw/applications.d/step-ca-server | |
| + [step-ca] | |
| + title=Derpy CA | |
| + description=step-ca is an online X.509 and SSH Certificate Authority | |
| + ports=80,443/tcp | |
| sudo ufw allow step-ca | |
| sudo ufw allow ssh | |
| sudo ufw enable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment