Sharkey是OpenSSH管理证书使用的服务。
Sharkey分为客户端组件和服务端组件,服务端负责发布已签署的主机证书,客户端负责在机器上安装主机证书。
服务端使用示例:
usage: sharkey-server --config=CONFIG [<flags>]Flags: --help Show context-sensitive help (also try --help-long and --help-man). --config=CONFIG Path to yaml config file for setup --suffix=SUFFIX Suffix of hostnames that will be supplied to server. --version Show application version.服务端配置示例:
# SQLite database# ---db: address: /path/to/sharkey.db type: sqlite# MySQL database# ---# db:# username: root# password: password# address: hostname:port# schema: ssh_ca# type: mysql# tls: # MySQL TLS config (optional)# ca: /path/to/mysql-ca-bundle.pem# cert: /path/to/mysql-client-cert.pem # MySQL client cert# key: /path/to/mysql-client-cert-key.pem # MySQL client cert key# min_version: 1.2 # Min. TLS version# Server listening addresslisten_addr: "0.0.0.0:8080"# TLS config for serving requests# ---tls: ca: /path/to/ca-bundle.pem cert: /path/to/server-certificate.pem key: /path/to/server-certificate-key.pem min_version: 1.2 # Min. TLS version (optional) # Signing key (from ssh-keygen)signing_key: /path/to/ca-signing-key # Lifetime/validity duration for generated host certificatescert_duration: 168h客户端使用示例:
usage: sharkey-client --config=CONFIG [<flags>]Flags: --help Show context-sensitive help (also try --help-long and --help-man). --config=CONFIG Path to yaml config file for setup --version Show application version.客户端配置示例:
# Server addressrequest_addr: "https://sharkey-server.example:8080"# TLS config for making requests# ---tls: ca: /path/to/ca-bundle.pem cert: /path/to/client-certificate.pem key: /path/to/client-certificate-key.pem# OpenSSH host key (unsigned)host_key: /etc/ssh/ssh_host_rsa_key.pub# Where to install the signed host certificatesigned_cert: /etc/ssh/ssh_host_rsa_key_signed.pub# Where to install the known_hosts fileknown_hosts: /etc/ssh/known_hosts# How often to refresh/request new certificatesleep: "24h"
评论