Last active
December 31, 2024 11:38
-
-
Save tashian/244fc69ccb7ceec433c7811e91cbf0b7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # This script will launch and configure a step-ca SSH Certificate Authority | |
| # on AWS in an Ubuntu / Debian-based VM with OIDC and AWS provisioners | |
| # | |
| # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions | |
| OIDC_CLIENT_ID="[OAuth client ID]" # from Google | |
| OIDC_CLIENT_SECRET="[OAuth client secret]" # from Google | |
| ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]" | |
| CA_NAME="[A name for your CA]" | |
| ROOT_KEY_PASSWORD="[A password for your CA's root key]" | |
| EMAIL="your@email.address" | |
| OPENID_CONFIG_ENDPOINT="https://accounts.google.com/.well-known/openid-configuration" | |
| case $(arch) in | |
| x86_64) | |
| ARCH="amd64" | |
| ;; | |
| aarch64) | |
| ARCH="arm64" | |
| ;; | |
| esac | |
| # Install step and step-ca | |
| curl -sLO https://dl.smallstep.com/cli/docs-cli-install/latest/step-cli_${ARCH}.deb | |
| dpkg -i step-cli_${ARCH}.deb | |
| curl -sLO https://dl.smallstep.com/certificates/docs-ca-install/latest/step-ca_${ARCH}.deb | |
| dpkg -i step-ca_${ARCH}.deb | |
| # All your CA config and certificates will go into $STEPPATH. | |
| export STEPPATH=/etc/step-ca | |
| mkdir -p $STEPPATH | |
| chmod 700 $STEPPATH | |
| echo $ROOT_KEY_PASSWORD > $STEPPATH/password.txt | |
| # Add a service to systemd for our CA. | |
| cat<<EOF > /etc/systemd/system/step-ca.service | |
| [Unit] | |
| Description=step-ca service | |
| After=network.target | |
| StartLimitIntervalSec=0 | |
| [Service] | |
| Type=simple | |
| Restart=always | |
| RestartSec=1 | |
| User=root | |
| Environment=STEPPATH=/etc/step-ca | |
| ExecStart=/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| # Get AWS host metadata (IMDSv2) | |
| AWS_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") | |
| LOCAL_HOSTNAME=$(curl -H "X-aws-ec2-metadata-token: $AWS_TOKEN" -s http://169.254.169.254/latest/meta-data/local-hostname) | |
| LOCAL_IP=$(curl -H "X-aws-ec2-metadata-token: $AWS_TOKEN" -s http://169.254.169.254/latest/meta-data/local-ipv4) | |
| PUBLIC_HOSTNAME=$(curl -H "X-aws-ec2-metadata-token: $AWS_TOKEN" -s http://169.254.169.254/latest/meta-data/public-hostname) | |
| PUBLIC_IP=$(curl -H "X-aws-ec2-metadata-token: $AWS_TOKEN" -s http://169.254.169.254/latest/meta-data/public-ipv4) | |
| AWS_ACCOUNT_ID=$(curl -H "X-aws-ec2-metadata-token: $AWS_TOKEN" -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep accountId | awk '{print $3}' | sed 's/"//g' | sed 's/,//g') | |
| # Set up our basic CA configuration and generate root keys | |
| step ca init --ssh --name="$CA_NAME" \ | |
| --dns="$LOCAL_IP,$LOCAL_HOSTNAME,$PUBLIC_IP,$PUBLIC_HOSTNAME" \ | |
| --address=":443" --provisioner="$EMAIL" \ | |
| --password-file="$STEPPATH/password.txt" | |
| # Add the Google OAuth provisioner, for user certificates | |
| step ca provisioner add Google --type=oidc --ssh \ | |
| --client-id="$OIDC_CLIENT_ID" \ | |
| --client-secret="$OIDC_CLIENT_SECRET" \ | |
| --configuration-endpoint="$OPENID_CONFIG_ENDPOINT" \ | |
| --domain="$ALLOWED_DOMAIN" | |
| # Add the AWS provisioner, for host bootstrapping | |
| step ca provisioner add "Amazon Web Services" --type=AWS --ssh \ | |
| --aws-account=$AWS_ACCOUNT_ID | |
| # The sshpop provisioner lets hosts renew their ssh certificates | |
| step ca provisioner add SSHPOP --type=sshpop --ssh | |
| # Use Google (OIDC) as the default provisioner in the end user's | |
| # ssh configuration template. | |
| sed -i 's/\%p$/%p --provisioner="Google"/g' /etc/step-ca/templates/ssh/config.tpl | |
| service step-ca start | |
| echo "export STEPPATH=$STEPPATH" >> /root/.profile |
Author
tashian
commented
Jul 15, 2024
- Updated to use IMDSv2
- Updated to use unversioned URLs for downloading step and step-ca
Hello, it seems that lines 27-28 are exactly the same as lines 30-31.
Is this intentional?
This way, I think that step-ca is not being installed.
Hello, it seems that lines 27-28 are exactly the same as lines 30-31. Is this intentional?
This way, I think that step-ca is not being installed.
Thank you @BrumaDaniel. Fixed.
Hi. I'm not sure whether this does anything anymore:
# Use Google (OIDC) as the default provisioner in the end user's
# ssh configuration template.
sed -i 's/\%p$/%p --provisioner="Google"/g' /etc/step-ca/templates/ssh/config.tpl
On my installations, it doesn't.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment