I follow this guide about Signed SSH Certificates.
I can use SSH CA key signed with private key to SSH server. But I’m stucking when apply this to ansible.
ssh -o StrictHostKeyChecking=no -i cicd-signed-key.pub -i privatekey username@servername “hostname” => It’s Ok.
but how to I config in ansible to get both the SSH CA key signed and private key?
I can’t do it or find anything documents/guides.
Please help me.
You could have the Ansible process generate a private/public key pair before getting the public key signed by Vault.
Alternatively you could store the private and public keys in Vault’s KV and retrieve them before signing the public key and when complete attempt to SSH to the destination.
There may be other options as well, but I’ve seen both of these work in similar situations.
No no, I got it.
But I want to use this key to deploy to other server.
You followed Step 3 in the Signing Key & Role Configuration? This would be applied on your target host.
According to ssh(1) - OpenBSD manual pages :
If no certificates have been explicitly specified by the
ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
So you should ensure your signed certificate is saved to such a file name, so that when Ansible runs SSH, it is found using this logic.