Configuring target servers with Ansible
The oidc_ssh_ca_trust role, in
ansible/roles/oidc_ssh_ca_trust,
automates the manual setup in
Configuring target servers: making target servers
trust the CA. It touches only the SSH server side — it does not deploy or
configure oidc-ssh-ca itself (for that, see
Choosing a deployment).
On each host the role:
installs the CA public key at
/etc/ssh/oidc-ssh-ca.pub;creates
/etc/ssh/auth_principals/<user>for every entry inoidc_ssh_ca_users, listing the certificate principals allowed to log in as that user;installs
/etc/ssh/sshd_config.d/oidc-ssh-ca.confwithTrustedUserCAKeysand aMatch Userblock per user;validates the configuration with
sshd -t(the fragment when it is written, and the full configuration again before reloading — a broken config never takes effect);reloads sshd, only if something changed.
Requirements
Ansible 2.12 or newer;
become(root) on the target hosts.An sshd whose
/etc/ssh/sshd_configcontainsInclude /etc/ssh/sshd_config.d/*.conf(the default on current Debian, Ubuntu, RHEL, and Fedora). The role fails with a clear error if the include is missing; setoidc_ssh_ca_verify_include: falseif you include the fragment some other way.The CA public key, exported with:
oidc-ssh-ca print-ca-pub --ca-key-file ./ca_key > oidc-ssh-ca.pub
Usage
Point Ansible at the role (for example with
ANSIBLE_ROLES_PATH=path/to/oidc-ssh-ca/ansible/roles, a
roles_path entry in ansible.cfg, or by copying the role into your
own repository), then:
- name: Trust the oidc-ssh-ca certificate authority
hosts: app_servers
become: true
roles:
- role: oidc_ssh_ca_trust
oidc_ssh_ca_public_key: "{{ lookup('file', './oidc-ssh-ca.pub') }}"
oidc_ssh_ca_users:
- user: deploy
principals:
- gha-prod-deploy
- user: staging
principals:
- gha-staging-deploy
ansible-playbook -i inventory.ini site.yml
A runnable copy of this playbook is at
ansible/playbook.example.yml.
The principals must match certificate.principals in the CA’s
policy: a certificate logs in as deploy only if one of
its principals appears in /etc/ssh/auth_principals/deploy. The login
users themselves must already exist; the role does not create accounts.
With the example above, the role writes:
# /etc/ssh/sshd_config.d/oidc-ssh-ca.conf
TrustedUserCAKeys /etc/ssh/oidc-ssh-ca.pub
Match User deploy
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
PasswordAuthentication no
KbdInteractiveAuthentication no
Match User staging
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
PasswordAuthentication no
KbdInteractiveAuthentication no
# /etc/ssh/auth_principals/deploy
gha-prod-deploy
Variables
Variable |
Default |
Purpose |
|---|---|---|
|
— (required) |
CA public key in OpenSSH format ( |
|
— (required) |
List of |
|
|
Where the CA key is installed |
|
|
Directory for per-user principals files |
|
|
Managed sshd fragment |
|
|
Add |
|
|
Fail if |
|
|
Binary used for |
|
|
Service reloaded after changes |
Notes
The role is idempotent: rerunning it without changes reports no changes and does not reload sshd.
oidc_ssh_ca_disable_password_authonly affects the listed users. Password logins for other accounts are untouched — disable them globally yourself if that is your policy.Removing a user from
oidc_ssh_ca_usersremoves theirMatchblock, which is what sshd consults; the now-unreferenced principals file is left behind and is inert. Delete it manually if you want a tidy/etc/ssh/auth_principals.CA key rotation works through this role too:
TrustedUserCAKeysmay list several keys, so setoidc_ssh_ca_public_keyto both public keys (one per line) during the transition, then rerun with only the new key once the old certificates have expired.