From 5ab5c3e98da4e95a4d5083911432ca81cd4ab4fb Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 5 Nov 2023 18:32:58 -0600 Subject: [PATCH] rpm: Add systemd service/target/timer units The *ssh-host-cert-sign@.service* unit does what it says on the tin: requests a signed host certificate from an SSHCA server. It is a template unit, whose instances correspond to SSH key types (RSA, ECDSA, and Ed25519). The *ssh-host-certs.target* unit depends on the three instances of the template unit, so they can all be activated together. This target is only activated on the first boot of the system, to initially request the certificates. The *ssh-host-certs-renew.timer* unit periodically renews the SSH hosts certificates. Its corresponding target unit depends on the three instances of *ssh-host-cert-sign@.service*, so each certificate will be renewed independently. --- ssh-host-cert-sign@.service | 34 ++++++++++++++++++++++++++++++++++ ssh-host-certs-renew.target | 7 +++++++ ssh-host-certs-renew.timer | 12 ++++++++++++ ssh-host-certs.target | 10 ++++++++++ sshca-cli.spec | 33 +++++++++++++++++++++++++++++++++ 5 files changed, 96 insertions(+) create mode 100644 ssh-host-cert-sign@.service create mode 100644 ssh-host-certs-renew.target create mode 100644 ssh-host-certs-renew.timer create mode 100644 ssh-host-certs.target diff --git a/ssh-host-cert-sign@.service b/ssh-host-cert-sign@.service new file mode 100644 index 0000000..0efde1e --- /dev/null +++ b/ssh-host-cert-sign@.service @@ -0,0 +1,34 @@ +[Unit] +Description=Request %I SSH Host Certificate +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign +ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub + +CapabilityBoundingSet=CAP_CHOWN +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/etc/ssh +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes diff --git a/ssh-host-certs-renew.target b/ssh-host-certs-renew.target new file mode 100644 index 0000000..9e54f1b --- /dev/null +++ b/ssh-host-certs-renew.target @@ -0,0 +1,7 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +StopWhenUnneeded=yes +Wants=ssh-host-cert-sign@ed25519.service +Wants=ssh-host-cert-sign@rsa.service +Wants=ssh-host-cert-sign@ecdsa.service diff --git a/ssh-host-certs-renew.timer b/ssh-host-certs-renew.timer new file mode 100644 index 0000000..3f6f728 --- /dev/null +++ b/ssh-host-certs-renew.timer @@ -0,0 +1,12 @@ +# vim: set ft=systemd : +[Unit] +Description=Periodically renew SSH host certificates + +[Timer] +Unit=%N.target +OnCalendar=Tue *-*-* 00:00:00 +RandomizedDelaySec=48h +Persistent=yes + +[Install] +WantedBy=timers.target diff --git a/ssh-host-certs.target b/ssh-host-certs.target new file mode 100644 index 0000000..6277e22 --- /dev/null +++ b/ssh-host-certs.target @@ -0,0 +1,10 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +ConditionFirstBoot=yes +Wants=ssh-host-cert-sign@ed25519.service +Wants=ssh-host-cert-sign@rsa.service +Wants=ssh-host-cert-sign@ecdsa.service + +[Install] +WantedBy=multi-user.target diff --git a/sshca-cli.spec b/sshca-cli.spec index 07b3ab9..55197cb 100644 --- a/sshca-cli.spec +++ b/sshca-cli.spec @@ -18,17 +18,30 @@ License: MIT OR Apache-2.0 URL: https://git.pyrocufflink.net/dustin/sshca Source: sshca-cli-%{version}.tar.xz Source: sshca-cli-%{version}-vendor.tar.xz +Source: ssh-host-cert-sign@.service +Source: ssh-host-certs.target +Source: ssh-host-certs-renew.target +Source: ssh-host-certs-renew.timer ExclusiveArch: %{rust_arches} BuildRequires: cargo-rpm-macros >= 25 BuildRequires: openssl-devel +BuildRequires: systemd-rpm-macros %global _description %{expand: CLI client for SSHCA.} %description %{_description} +%package systemd +Summary: systemd units for managing SSH host certificates with SSHCA +Requires: %{name} = %{version} + +%description systemd +A collection of systemd service, timer, and target units that automatically +request and renew SSH host certificates from an SSHCA server. + %prep %autosetup -n %{crate}-%{version} -p1 -a1 %cargo_prep -v vendor @@ -43,11 +56,28 @@ CLI client for SSHCA.} %install %cargo_install +mkdir -p $RPM_BUILD_ROOT%{_unitdir} +install -m u=rw,go=r \ + %{SOURCE2} \ + %{SOURCE3} \ + %{SOURCE4} \ + %{SOURCE5} \ + $RPM_BUILD_ROOT%{_unitdir} + %if %{with check} %check %cargo_test %endif +%post systemd +%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer + +%preun systemd +%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer + +%postun systemd +%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer + %files %license LICENSE-Apache-2.0.txt %license LICENSE-MIT.txt @@ -55,6 +85,9 @@ CLI client for SSHCA.} %license cargo-vendor.txt %{_bindir}/sshca-cli +%files systemd +%{_unitdir}/* + %changelog * Sun Nov 05 2023 Dustin C. Hatch - 0.1.0-1 - Initial package