systemd: Add unit to auto reload sshd after renew
dustin/sshca-cli/pipeline/head This commit looks good
Details
dustin/sshca-cli/pipeline/head This commit looks good
Details
`sshd` no longer appears to automatically pick up the new certificate after it has been renewed by `ssh-host-cert-sign@.service`; we need to explicitly reload it. To handle this, I've added a systemd _path_ unit that monitors the certificate files for changes and triggers a corresponding _service_ unit that reloads the SSH daemon.dev/auto-reload
parent
730448c79d
commit
9dc20b4fd4
|
|
@ -0,0 +1,11 @@
|
|||
[Unit]
|
||||
Description=Watch SSH Host certificates for renewal
|
||||
After=sshd.service
|
||||
|
||||
[Path]
|
||||
PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
|
||||
|
||||
[Install]
|
||||
WantedBy=paths.target
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
[Unit]
|
||||
Description=Reload SSH daemon when certificate is renewed
|
||||
After=sshd.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/systemctl reload sshd
|
||||
CapabilityBoundingSet=
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=yes
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
Name: sshca-cli
|
||||
Version: 0.1.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: CLI client for SSHCA
|
||||
|
||||
SourceLicense: MIT OR Apache-2.0
|
||||
|
|
@ -22,6 +22,8 @@ Source: ssh-host-cert-sign@.service
|
|||
Source: ssh-host-certs.target
|
||||
Source: ssh-host-certs-renew.target
|
||||
Source: ssh-host-certs-renew.timer
|
||||
Source: reload-ssh-cert.path
|
||||
Source: reload-ssh-cert.service
|
||||
|
||||
ExclusiveArch: %{rust_arches}
|
||||
|
||||
|
|
@ -62,6 +64,8 @@ install -m u=rw,go=r \
|
|||
%{SOURCE3} \
|
||||
%{SOURCE4} \
|
||||
%{SOURCE5} \
|
||||
%{SOURCE6} \
|
||||
%{SOURCE7} \
|
||||
$RPM_BUILD_ROOT%{_unitdir}
|
||||
|
||||
%if %{with check}
|
||||
|
|
@ -70,13 +74,13 @@ install -m u=rw,go=r \
|
|||
%endif
|
||||
|
||||
%post systemd
|
||||
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
|
||||
|
||||
%preun systemd
|
||||
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
|
||||
|
||||
%postun systemd
|
||||
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
|
||||
|
||||
%files
|
||||
%license LICENSE-Apache-2.0.txt
|
||||
|
|
|
|||
Loading…
Reference in New Issue