The *ssh-host-cert-sign@.service* unit does what it says on the tin:
requests a signed host certificate from an SSHCA server. It is a
template unit, whose instances correspond to SSH key types (RSA, ECDSA,
and Ed25519). The *ssh-host-certs.target* unit depends on the three
instances of the template unit, so they can all be activated together.
This target is only activated on the first boot of the system, to
initially request the certificates.
The *ssh-host-certs-renew.timer* unit periodically renews the SSH hosts
certificates. Its corresponding target unit depends on the three
instances of *ssh-host-cert-sign@.service*, so each certificate will be
renewed independently.
The *sshca-cli* RPM package can be used to install the SSHCA CLI client
on Fedora (and other RPM-based distributions). The `.spec` file was
originally generated using [rust2rpm], but several manual modifications
were required. Notably, the script does not generate `BuildRequres`
tags when run in "vendored" mode (i.e. third-party crate sources are
included in the source RPM package instead of packaged as separate
RPMS).
The CLI tool will be the primary method for interacting with the SSH CA
service. For now, it supports a single operation: `sshca-cli host
sign`, which requests a certificate to be signed by the CA service.`
I realized that allowing hosts to request certificates for arbitrary
aliases sort of defeats the purpose of the authentication process. If a
host successfully authenticates, there would be nothing stopping it from
requesting a certificate for another host. I will have to come up with
a different way of specifying aliases. Probably something like a JSON
map containing pre-assigned aliases for hosts that will need them.
Since hosts have multiple keys that they will want to have signed, they
will need to make multiple requests, either sequentially or in parallel.
Since each request must be authenticated individually, this would result
in a libvirt connection and lookup for each one. To avoid this
overhead, the server will now cache machine IDs in memory for 60
seconds.
Dustin