Type:
How-To
Question/Problem:
How do I rotate ssh keys on connected OpenSSH nodes after Teleport CA rotation?
Solution:
Most customers generally use
Example SSM script below:
Run on Auth Server to push the new cert/pubkey to SSM:
tsh ssh
instead of ssh
and the nodes will in these instances automatically update when the CA is rotated. That being said, it is possible to use AWS SSM (for example) with an orchestration tool like Ansible to push the new cert/pubkey to a central location and then distribute it to all OpenSSH nodes that have been configured to trust Teleport. Example SSM script below:
Run on Auth Server to push the new cert/pubkey to SSM:
#!/bin/bash source /etc/teleport.d/conf sudo tctl auth sign --host=proxy.example.com --format=openssh --out=proxy.example.com SSH_HOST_KEY=$(cat proxy.example.com) SSH_HOST_CERT=$(cat proxy.example.com-cert.pub) aws ssm put-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_key --region ${EC2_REGION} --type="String" --value="${SSH_HOST_KEY}" --overwrite aws ssm put-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_cert --region ${EC2_REGION} --type="String" --value="${SSH_HOST_CERT}" --overwrite
Run on Nodes to grab the new cert and store it in the place it's called from in your sshd_config:
#!/bin/bash source /etc/teleport.d/conf aws ssm get-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_key --region ${EC2_REGION} --query Parameter.Value --output text > /etc/ssh/proxy.example.com aws ssm get-parameter --name /teleport/${TELEPORT_CLUSTER_NAME}/ssh_host_cert --region ${EC2_REGION} --query Parameter.Value --output text > /etc/ssh/proxy.example.com-cert.pub
Comments
0 comments
Article is closed for comments.