From 7f1abd7e75f228fd411ce4b7d18cbe4d8b6e101b Mon Sep 17 00:00:00 2001 From: Andreas Olsson Date: Mon, 1 Apr 2024 20:55:41 +0200 Subject: [PATCH 1/2] Fix names in README example --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a441dee..0d65659 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ certificate from it. ```yaml jobs: - build: + deploy: permissions: contents: read id-token: write @@ -30,11 +30,11 @@ jobs: - name: Deploy site if: github.ref == 'refs/heads/main' run: > - rsync -e "ssh -i '$SSH_CERT_PATH'" + rsync -e "ssh -i '$SSH_KEY_PATH'" --verbose --recursive --delete-after --perms --chmod=D755,F644 build/ deployer@site.example.net:/var/www/site/ env: - SSH_CERT_PATH: ${{ steps.ssh_cert.outputs.key_path }} + SSH_KEY_PATH: ${{ steps.ssh_cert.outputs.key_path }} ``` Do note that all client certification configuration is expected to From fb79fafe4cd8df71bffb583e1bde2e028804564e Mon Sep 17 00:00:00 2001 From: Andreas Olsson Date: Mon, 1 Apr 2024 21:36:58 +0200 Subject: [PATCH 2/2] Extend README with matching OpenSSH example config --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index 0d65659..4eb2754 100644 --- a/README.md +++ b/README.md @@ -108,5 +108,30 @@ resource "vault_jwt_auth_backend_role" "example" { } ``` +```terraform +output "ssh_ca" { + value = vault_ssh_secret_backend_ca.ssh_ca.public_key +} +``` + +### OpenSSH + +```ssh-config +# /etc/ssh/sshd_config +# ... +TrustedUserCAKeys /etc/ssh/sshd_user_ca.pub +AuthorizedPrincipalsFile /etc/ssh/user_principals/%u +``` + +```text +# /etc/ssh/sshd_user_ca.pub +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... +``` + +```text +# /etc/ssh/user_principals/deployer +github-deploy@example.com +``` + [1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect