systemd: Add unit to auto reload sshd after renew
dustin/sshca-cli/pipeline/head This commit looks good
Details
dustin/sshca-cli/pipeline/head This commit looks good
Details
`sshd` no longer appears to automatically pick up the new certificate after it has been renewed by `ssh-host-cert-sign@.service`; we need to explicitly reload it. To handle this, I've added a systemd _path_ unit that monitors the certificate files for changes and triggers a corresponding _service_ unit that reloads the SSH daemon.dev/auto-reload
parent
730448c79d
commit
9dc20b4fd4
|
|
@ -0,0 +1,11 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Watch SSH Host certificates for renewal
|
||||||
|
After=sshd.service
|
||||||
|
|
||||||
|
[Path]
|
||||||
|
PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
|
||||||
|
PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||||
|
PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=paths.target
|
||||||
|
|
@ -0,0 +1,24 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Reload SSH daemon when certificate is renewed
|
||||||
|
After=sshd.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/systemctl reload sshd
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
NoNewPrivileges=true
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectHome=true
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateTmp=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX
|
||||||
|
LockPersonality=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
|
@ -8,7 +8,7 @@
|
||||||
|
|
||||||
Name: sshca-cli
|
Name: sshca-cli
|
||||||
Version: 0.1.1
|
Version: 0.1.1
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: CLI client for SSHCA
|
Summary: CLI client for SSHCA
|
||||||
|
|
||||||
SourceLicense: MIT OR Apache-2.0
|
SourceLicense: MIT OR Apache-2.0
|
||||||
|
|
@ -22,6 +22,8 @@ Source: ssh-host-cert-sign@.service
|
||||||
Source: ssh-host-certs.target
|
Source: ssh-host-certs.target
|
||||||
Source: ssh-host-certs-renew.target
|
Source: ssh-host-certs-renew.target
|
||||||
Source: ssh-host-certs-renew.timer
|
Source: ssh-host-certs-renew.timer
|
||||||
|
Source: reload-ssh-cert.path
|
||||||
|
Source: reload-ssh-cert.service
|
||||||
|
|
||||||
ExclusiveArch: %{rust_arches}
|
ExclusiveArch: %{rust_arches}
|
||||||
|
|
||||||
|
|
@ -62,6 +64,8 @@ install -m u=rw,go=r \
|
||||||
%{SOURCE3} \
|
%{SOURCE3} \
|
||||||
%{SOURCE4} \
|
%{SOURCE4} \
|
||||||
%{SOURCE5} \
|
%{SOURCE5} \
|
||||||
|
%{SOURCE6} \
|
||||||
|
%{SOURCE7} \
|
||||||
$RPM_BUILD_ROOT%{_unitdir}
|
$RPM_BUILD_ROOT%{_unitdir}
|
||||||
|
|
||||||
%if %{with check}
|
%if %{with check}
|
||||||
|
|
@ -70,13 +74,13 @@ install -m u=rw,go=r \
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%post systemd
|
%post systemd
|
||||||
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer
|
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
|
||||||
|
|
||||||
%preun systemd
|
%preun systemd
|
||||||
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer
|
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
|
||||||
|
|
||||||
%postun systemd
|
%postun systemd
|
||||||
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer
|
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENSE-Apache-2.0.txt
|
%license LICENSE-Apache-2.0.txt
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue