Signmykey

Installation

On Ubuntu 16.04+, add signmykey repository and key:

echo "deb https://apt.signmykey.io/ stable main" > /etc/apt/sources.list.d/signmykey.list
curl https://gpg.signmykey.io/signmykey.pub | apt-key add -

Then

useradd --no-create-home -s /bin/false signmykey
apt update && apt install signmykey
wget https://raw.githubusercontent.com/signmykeyio/signmykey/master/signmykey.service -O /etc/systemd/system/signmykey.service
systemctl enable signmykey.service
mkdir -m 700 /etc/signmykey

Server certificate

Generate a certificate for signmykey server using Vault PKI

Note: you can use another certificate provider

vault write pki/issue/allow-all-domains common_name="signmykeyserver" alt_names="localhost" ip_sans="127.0.0.1"

Copy the output from the previous command

vi /etc/signmykey/server.key # certificate key
vi /etc/signmykey/server.pem # private_key key
chmod 400 /etc/signmykey/server.key

Server configuration

File /etc/signmykey/server.yml

In this file, you put the Vault AppRole credentials.

LDAP configuration alternative

authenticatorType: ldap
authenticatorOpts:
  ldapAddr: localhost
  ldapPort: 3893
  ldapTLS: False
  ldapTLSVerify: False
  ldapBindUser: "cn=serviceuser,ou=svcaccts,dc=glauth,dc=com"
  ldapBindPassword: "mysecret"
  ldapBase: "dc=glauth,dc=com"
  ldapSearch: "(cn=%s)"

principalsType: ldap
principalsOpts:
  ldapAddr: localhost
  ldapPort: 3893
  ldapTLS: False
  ldapTLSVerify: False
  ldapBindUser: "cn=serviceuser,ou=svcaccts,dc=glauth,dc=com"
  ldapBindPassword: "mysecret"
  ldapBase: "ou=groups,dc=glauth,dc=com"
  ldapSearch: "(cn=%s)"

signerType: vault
signerOpts:
  vaultAddr: "localhost"
  vaultPort: 8200
  vaultTLS: true
  vaultPath: "ssh"
  vaultRole: "sign-user-role"
  vaultRoleID: "11940c2d-4639-9358-d750-cdb7cf409ff4"
  vaultSecretID: "8b4c901f-1f84-5049-17ee-92de12b6b1e5"
  vaultSignTTL: "12h"

address: "0.0.0.0:443"
tlsDisable: false
tlsCert: "/etc/signmykey/server.pem" 
tlsKey: "/etc/signmykey/server.key"

OIDC ROPC configuration alternative

authenticatorType: oidcropc
authenticatorOpts:
  oidcTokenEndpoint: "https://idp.my.corp/auth/realms/mycorp/protocol/openid-connect/token"
  oidcClientID: "signmykey"
  oidcClientSecret: "93fac2d9-bd8f-453a-9ece-e2c430f0ee04"

principalsType: oidcropc
principalsOpts:
  oidcUserinfoEndpoint: "https://idp.my.corp/auth/realms/mycorp/protocol/openid-connect/userinfo"
  oidcUserGroupsEntry: "oidc-groups"

signerType: vault
signerOpts:
  vaultAddr: "localhost"
  vaultPort: 8200
  vaultTLS: true
  vaultPath: "ssh"
  vaultRole: "sign-user-role"
  vaultRoleID: "11940c2d-4639-9358-d750-cdb7cf409ff4"
  vaultSecretID: "8b4c901f-1f84-5049-17ee-92de12b6b1e5"
  vaultSignTTL: "12h"

address: "0.0.0.0:443"
tlsDisable: false
tlsCert: "/etc/signmykey/server.pem" 
tlsKey: "/etc/signmykey/server.key"

Secure the config file

chmod 600 /etc/signmykey/server.yml
chown -R signmykey: /etc/signmykey

Server start

systemctl start signmykey.service
systemctl status signmykey.service

Client configuration

Global configuration

mkdir /etc/signmykey

Content of the /etc/signmykey/client.yml file:

addr: "https://signmykeyserver/"

User configuration

Content of the ~/.signmykey.yml file:

addr: "https://signmykeyserver/"

Client usage

Sign your key

signmykey -u johndoe

Verify your key principals

ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub

Look at Principals in the output:

/home/myuser/.ssh/id_rsa-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT ce:75:5e:4d:3a:db:29:f4:69:3f:98:39:80:48:a3:0f
        Signing CA: RSA 04:cc:f7:15:b6:3a:ab:9a:9a:cf:e8:e4:82:5d:a9:0e
        Key ID: "johndoe"
        Serial: 15992710984477402823
        Valid: from 2018-07-30T15:26:46 to 2018-07-31T15:27:16
        Principals: 
                superheros
                vpn
        Critical Options: (none)
        Extensions: 
                permit-pty