Add functionality for signing host keys

Works similarly, but obviously differently, from signing user keys. The
restarting of sshd on the remote server doesn't appear to work reliably.
Not sure why yet. Everything else appears to work right.

Author: bobveznat

README.md

@@ -18,9 +18,22 @@ The primary use case is:
   access for a few hours at which point her access should automatically
   be revoked.
 
+A second use case is around host keys:
+
+  A server is launched into the cloud by an adminstrator and made
+  available to other users over SSH. The first time a user connects to
+  that machine she is prompted to inspect the host key fingerprint and
+  type either "yes" or "no". Most users blindly type yes. By signing a
+  host key and generating a certificate users can blindly accept any
+  server that presents a valid certificate as trustworthy and never be
+  prompted to blindly type "yes" again.
+
 Quick start
 ===========
 
+User keys
+---------
+
 Generate a certificate authority (yep, this is exactly like making an ordinary private key):
 
 `ssh-keygen -f ~/.ssh/ssh_ca_production -b 4096`
@@ -40,6 +53,32 @@ Install the certificate using the other utility in this github repo:
 
 SSH like normal.
 
+Host keys
+---------
+
+First create a CA using ssh-keygen as described in the previous section.
+Then use the `sign_host_key` script included in this distribution.
+
+This script will SSH out to the remote server and:
+
+  - Copy back the host's public key
+  - Sign it (it will ask you for the passphrase to your CA
+  - Copy it back to the host
+  - Restart sshd
+
+Once the cert is in place you need to have your client computers told to
+trust the CA. Take the public portion of your CA and add it into your
+`authorized_keys` file according to this format:
+
+  `@cert-authority *.domain ssh-rsa ...`
+
+The `*.domain` is intended to be the domain you're signing keys for. If
+you were working with a CA that only signed host keys for veznat.com you
+could enter `*.veznat.com`. If you sign keys for all sorts of domains
+you can enter a `*` here without any qualification, however, you should
+understand what this means in the context of a compromised CA before
+doing so.
+
 Usage
 =====
 

scripts/sign_host_key

@@ -0,0 +1,119 @@
+#!/usr/bin/env python
+
+"""Sign a machine's host public key.
+
+This script is used to sign a host's SSH public key using a certificate
+authority's private key. The signed public key can be used to verify that a
+machine is one of your own and very likely the machine you actually want to
+talk to.
+
+For example, imagine a server that is launched by a single user and later
+accessed by dozens of engineers. The first engineer may be able (and may
+actually) verify the host key fingerprint. However, users 2 through n probably
+just type yes when prompted by SSH to verify the fingerprint.
+
+Instead the user setting up the server can sign the host key of the host and
+then all users in an organization can trust the certificate authority that
+signed the host key. When a new user SSHs to a new host so long as the
+certificate is valid the user will not be prompted to type yes.
+
+The final output of this script is an S3 URL containing the host's signed
+certificate. The admin needs to take this URL and download the file it points
+at. The downloaded file should be named exactly like their host SSH key but
+with the suffix "-cert.pub".
+
+For example, if the host key is /etc/ssh/ssh_host_rsa_key.pub do something like:
+
+    curl <THE URL> > /etc/ssh/ssh_host_rsa_key-cert.pub
+
+sshd isn't configured out of the box to look for certs so you need to edit your
+/etc/ssh/sshd_config and add a line like this one:
+
+    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+
+Now you can send a HUP to the sshd parent process. I typically do a ps ax |
+grep sshd and then kill -HUP the lowest numbered pid (or whichever one appears
+most likely to be the parent).
+"""
+import argparse
+import ConfigParser
+import os
+import sys
+import tempfile
+
+from contextlib import closing
+
+import ssh_ca
+import ssh_ca.s3
+
+
+if __name__ == '__main__':
+    default_authority = os.getenv('SSH_CA_AUTHORITY', 's3')
+    default_config = os.path.expanduser(
+        os.getenv('SSH_CA_CONFIG', '~/.ssh_ca/config'))
+
+    parser = argparse.ArgumentParser(__doc__)
+    parser.add_argument('-a', '--authority',
+        dest='authority', default=default_authority,
+        help='Pick one: s3',
+    )
+    parser.add_argument('-c', '--config-file',
+        default=default_config,
+        help='The configuration file to use.  Can also be '
+             'specified in the SSH_CA_CONFIG environment '
+             'variable.  Default: %(default)s',
+    )
+    parser.add_argument('-e', '--environment',
+        required=True,
+        help='Environment name',
+    )
+    parser.add_argument('--hostname',
+        action='append', required=True, dest='hostnames',
+        help='A principal (hostname) that clients can verify. '
+        'This should match what the user types for "ssh <hostname>',
+    )
+    parser.add_argument('-t', '--expires-in',
+        default='+104w',
+        help='Expires in. A relative time like +1w. Or YYYYMMDDHHMMSS. '
+             'Default: %(default)s',
+    )
+    args = parser.parse_args()
+
+    environment = args.environment
+
+    ssh_ca_section = 'ssh-ca-' + args.authority
+
+    config = None
+    if args.config_file:
+        config = ConfigParser.ConfigParser()
+        config.read(args.config_file)
+
+    # Get a valid CA key file
+    ca_key = ssh_ca.get_config_value(config, environment, 'private_key')
+    if ca_key:
+        ca_key = os.path.expanduser(ca_key)
+    else:
+        ca_key = os.path.expanduser('~/.ssh/ssh_ca_%s' % (environment,))
+    if not os.path.isfile(ca_key):
+        print 'CA key file %s does not exist.' % (ca_key,)
+        sys.exit(1)
+
+    try:
+        ca = ssh_ca.s3.S3Authority(config, ssh_ca_section, ca_key)
+    except ssh_ca.SSHCAInvalidConfiguration, e:
+        print 'Issue with creating CA: %s' % e.message
+        sys.exit(1)
+
+    reason = 'New host cert for %r' % (args.hostnames,)
+
+    public_key_contents = ca.get_host_rsa_key(args.hostnames[0])
+    (fd, public_path) = tempfile.mkstemp()
+    with closing(os.fdopen(fd, 'w')) as f:
+        f.write(public_key_contents)
+
+    cert_contents = ca.sign_public_host_key(
+        public_path, args.expires_in, args.hostnames,
+        reason, args.hostnames[0]
+    )
+
+    ca.upload_host_rsa_cert(args.hostnames[0], cert_contents)

ssh_ca/__init__.py

@@ -1,6 +1,7 @@
 import ConfigParser
 import os
 import subprocess
+import time
 
 
 __version__ = "0.2.0"
@@ -41,9 +42,61 @@ def make_audit_log(self,
             serial, valid_for, username, ca_key_filename, reason, principals):
         pass
 
+    def make_host_audit_log(self,
+            serial, valid_for, ca_key_filename, reason, hostnames):
+        pass
+
     def upload_public_key(self, username, public_path):
         pass
 
+    def get_host_rsa_key(self, hostname):
+        """Gets <hostname>'s public rsa key and returns it."""
+        host_pub_key = subprocess.check_output([
+            'ssh', hostname,
+            'cat', '/etc/ssh/ssh_host_rsa_key.pub'
+        ])
+        if not host_pub_key.startswith('ssh-rsa'):
+            raise ValueError('Unable to get host public key: %s' % (
+                host_pub_key,))
+
+        return host_pub_key
+
+    def upload_host_rsa_cert(self, hostname, cert):
+        """Puts <cert> into ssh_host_rsa_key-cert.pub on <hostname>"""
+        subprocess.check_output([
+            'ssh', '-t', hostname,
+            'echo "%s" | sudo tee /etc/ssh/ssh_host_rsa_key-cert.pub' % (cert,)
+        ])
+        host_cert_line = "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"
+        subprocess.check_output([
+            'ssh', '-t', hostname,
+            'echo "%s" | sudo tee -a /etc/ssh/sshd_config' % (host_cert_line,)
+        ])
+        time.sleep(1)
+        subprocess.check_output([
+            'ssh', '-t', hostname,
+            'sudo service sshd restart'
+        ])
+
+    def sign_public_host_key(self,
+            public_key_filename, expires_in, hostnames, reason, key_id):
+        serial = self.increment_serial_number()
+
+        subprocess.check_output([
+            'ssh-keygen',
+            '-h',
+            '-z', str(serial),
+            '-s', self.ca_key,
+            '-I', key_id,
+            '-V', expires_in,
+            '-n', ','.join(hostnames),
+            public_key_filename]
+        )
+        self.make_host_audit_log(
+            serial, expires_in, self.ca_key, reason, hostnames)
+
+        return self.get_cert_contents(public_key_filename)
+
     def sign_public_user_key(self,
             public_key_filename, username, expires_in, reason, principals):
         serial = self.increment_serial_number()
@@ -55,11 +108,15 @@ def sign_public_user_key(self,
             '-I', username,
             '-V', expires_in,
             '-n', ','.join(principals),
-            public_key_filename])
+            public_key_filename]
+        )
 
         self.make_audit_log(
             serial, expires_in, username, self.ca_key, reason, principals)
 
+        return self.get_cert_contents(public_key_filename)
+
+    def get_cert_contents(self, public_key_filename):
         if public_key_filename.endswith('.pub'):
             public_key_filename = public_key_filename[:-4]
         cert_filename = public_key_filename + '-cert.pub'

ssh_ca/s3.py

@@ -69,19 +69,34 @@ def upload_public_key_cert(self, username, cert_contents):
         )
         return k.generate_url(7200)
 
+    def make_host_audit_log(self,
+            serial, valid_for, ca_key_filename, reason, hostnames):
+        audit_info = {
+            'valid_for': valid_for,
+            'access_key': self.s3_conn.access_key,
+            'ca_key_filename': ca_key_filename,
+            'reason': reason,
+            'hostnames': hostnames,
+        }
+        return self.drop_audit_blob(serial, audit_info)
+
     def make_audit_log(self,
             serial, valid_for, username, ca_key_filename, reason, principals):
-        timestamp = datetime.datetime.strftime(
-            datetime.datetime.utcnow(), '%Y-%m-%d-%H:%M:%S.%f')
-        k = self.ssh_bucket.new_key('audit_log/%d.json' % (serial,))
-
         audit_info = {
             'username': username,
             'valid_for': valid_for,
-            'timestamp': timestamp,
             'access_key': self.s3_conn.access_key,
             'ca_key_filename': ca_key_filename,
             'reason': reason,
             'principals': principals,
         }
-        k.set_contents_from_string(json.dumps(audit_info))
+        return self.drop_audit_blob(serial, audit_info)
+
+    def drop_audit_blob(self, serial, blob):
+        k = self.ssh_bucket.new_key('audit_log/%d.json' % (serial,))
+
+        timestamp = datetime.datetime.strftime(
+            datetime.datetime.utcnow(), '%Y-%m-%d-%H:%M:%S.%f')
+        blob['timestamp'] = timestamp
+
+        k.set_contents_from_string(json.dumps(blob))