Add function to sign SSH key

This will enable the known_hosts to work. shosts.equiv and sshd and ssh client config will be handled elsewhere. shosts.equiv will just be everything.
2025-02-28 08:11:45 +00:00 · 2020-03-06 16:55:06 -05:00 · 2020-03-06 16:55:06 -05:00 · 82921fb53d
commit 82921fb53d
parent 59a0b00208
1 changed files with 19 additions and 1 deletions
--- a/misc/sshca.py
+++ b/misc/sshca.py
@ -4,6 +4,8 @@ import confluent.collective.manager as collective
 import eventlet.green.subprocess as subprocess
 import glob
 import os
+import shutil
+import tempfile

 def normalize_uid():
    curruid = os.getuid()
@ -44,6 +46,21 @@ def initialize_ca():
        for ckh in currknownhosts:
            skh.write(ckh)

+def sign_host_key(pubkey, nodename):
+    tmpdir = tempfile.mkdtemp()
+    try:
+        pkeyname = os.path.join(tmpdir, 'hostkey.pub')
+        with open(pkeyname, 'w') as pubfile:
+            pubfile.write(pubkey)
+        subprocess.check_call(
+            ['ssh-keygen', '-s', '/etc/confluent/ssh/ca', '-I', nodename,
+             '-n', nodename, '-h', pkeyname])
+        certname = pkeyname.replace('.pub', '-cert.pub')
+        with open(certname) as cert:
+            return cert.read()
+    finally:
+        shutil.rmtree(tmpdir)
+
 def initialize_root_key():
    authorized = []
    for currkey in glob.glob('/root/.ssh/*.pub'):
@ -88,4 +105,5 @@ def ca_exists():
 if __name__ == '__main__':
    initialize_root_key()
    if not ca_exists():
-        initialize_ca()
+        initialize_ca()
+    print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))