From 9dc20b4fd4edfa675c04a2deda7e45340086d446 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 12 Sep 2025 07:16:02 -0500 Subject: [PATCH] systemd: Add unit to auto reload sshd after renew `sshd` no longer appears to automatically pick up the new certificate after it has been renewed by `ssh-host-cert-sign@.service`; we need to explicitly reload it. To handle this, I've added a systemd _path_ unit that monitors the certificate files for changes and triggers a corresponding _service_ unit that reloads the SSH daemon. --- reload-ssh-cert.path | 11 +++++++++++ reload-ssh-cert.service | 24 ++++++++++++++++++++++++ sshca-cli.spec | 12 ++++++++---- 3 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 reload-ssh-cert.path create mode 100644 reload-ssh-cert.service diff --git a/reload-ssh-cert.path b/reload-ssh-cert.path new file mode 100644 index 0000000..f4fdb71 --- /dev/null +++ b/reload-ssh-cert.path @@ -0,0 +1,11 @@ +[Unit] +Description=Watch SSH Host certificates for renewal +After=sshd.service + +[Path] +PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub +PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub +PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub + +[Install] +WantedBy=paths.target diff --git a/reload-ssh-cert.service b/reload-ssh-cert.service new file mode 100644 index 0000000..c4f2798 --- /dev/null +++ b/reload-ssh-cert.service @@ -0,0 +1,24 @@ +[Unit] +Description=Reload SSH daemon when certificate is renewed +After=sshd.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/systemctl reload sshd +CapabilityBoundingSet= +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +PrivateDevices=true +PrivateTmp=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true diff --git a/sshca-cli.spec b/sshca-cli.spec index afe946a..8707677 100644 --- a/sshca-cli.spec +++ b/sshca-cli.spec @@ -8,7 +8,7 @@ Name: sshca-cli Version: 0.1.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: CLI client for SSHCA SourceLicense: MIT OR Apache-2.0 @@ -22,6 +22,8 @@ Source: ssh-host-cert-sign@.service Source: ssh-host-certs.target Source: ssh-host-certs-renew.target Source: ssh-host-certs-renew.timer +Source: reload-ssh-cert.path +Source: reload-ssh-cert.service ExclusiveArch: %{rust_arches} @@ -62,6 +64,8 @@ install -m u=rw,go=r \ %{SOURCE3} \ %{SOURCE4} \ %{SOURCE5} \ + %{SOURCE6} \ + %{SOURCE7} \ $RPM_BUILD_ROOT%{_unitdir} %if %{with check} @@ -70,13 +74,13 @@ install -m u=rw,go=r \ %endif %post systemd -%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer +%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path %preun systemd -%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer +%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path %postun systemd -%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer +%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path %files %license LICENSE-Apache-2.0.txt