Type:
How-To
Question/Problem:
How do I rotate ssh keys on connected OpenSSH nodes after Teleport CA rotation?
Solution:
Most customers generally use
Example SSM script below:
Run on Auth Server to push the new cert/pubkey to SSM:
tsh ssh instead of ssh and the nodes will in these instances automatically update when the CA is rotated. That being said, it is possible to use AWS SSM (for example) with an orchestration tool like Ansible to push the new cert/pubkey to a central location and then distribute it to all OpenSSH nodes that have been configured to trust Teleport. Example SSM script below:
Run on Auth Server to push the new cert/pubkey to SSM:
#!/bin/bash
source /etc/teleport.d/conf
sudo tctl auth sign --host=proxy.example.com --format=openssh --out=proxy.example.com
SSH_HOST_KEY=$(cat proxy.example.com)
SSH_HOST_CERT=$(cat proxy.example.com-cert.pub)
aws ssm put-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_key --region ${EC2_REGION} --type="String" --value="${SSH_HOST_KEY}" --overwrite
aws ssm put-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_cert --region ${EC2_REGION} --type="String" --value="${SSH_HOST_CERT}" --overwrite
Run on Nodes to grab the new cert and store it in the place it's called from in your sshd_config:
#!/bin/bash
source /etc/teleport.d/conf
aws ssm get-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_key --region ${EC2_REGION} --query Parameter.Value --output text > /etc/ssh/proxy.example.com
aws ssm get-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_cert --region ${EC2_REGION} --query Parameter.Value --output text > /etc/ssh/proxy.example.com-cert.pub
Comments
0 comments
Article is closed for comments.