ymir: openssh ca

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-12 14:06:09 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-12 14:06:09 +0100
commit: ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf (patch)
tree: b18bd1ce1434609ab4476a508e3da413623bdaea
parent: 7dfdf54de426b995173cec67b40451f0b83d264a (diff)
download: nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.gz
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.bz2
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.xz
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.zip
5 files changed, 16 insertions, 47 deletions
diff --git a/knownHosts.nix b/knownHosts.nix
index 720a4932..96a104ba 100644
--- a/knownHosts.nix
+++ b/knownHosts.nix
@@ -1,50 +1,6 @@
 {
-  ymir-rsa = {
+  "*.yggdrasil" = {
-    hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+    extraHostNames = ["*.yggdrasil.li"];
-    publicKey = ''
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1t7HamptQ49VXtSZyRsaOuja5In1N0U9Ybdiu6ztzi ca.yggdrasil";
-      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
-    '';
-  };
-  ymir-ed25519 = {
-    hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
-    publicKey = ''
-      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
-    '';
-  };
-  odin-rsa = {
-    hostNames = ["odin.asgard.yggdrasil"];
-    publicKey = ''
-      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5tCkUoo1V97e7bdAnOvxYXgJ8i+PrECUzbXW8Xwy/ir6a/cl3Lm+RMV/h29sVVT56bb0TtZ/JrYyYyWpy/g8FDGgm06mHnxGjjCE7FQpMRk/QoE7JKvqB4mTyMH6lE9lfuLiPI0S7JXrx0xiSJS0Z989Xmu8CN0pA4qyNmMVvAm+zSgxA1KLVcOWUw9mbmVInm1JB+l/psmYcdne4fjWGOn8awY0KGSB5W8xiThjoJe2a8BrW5g8xYS7mLQeKvCkVmukvMu9rUPdCqXp5QPBD8l7tl2jnrefSTRozysfZGX2aRy+a1xXZ/LLBimM/DQ2vDeXYGmE0saCTAgOm4u6Cx6j+SHq64koLaWfHygVeyvCnD0ttKhVzBkbsqzyootg/C1uNaMnavkfUVgSZigyHvfvgGLq39awQ3Zxgxui7vhPy0Mjf2/3EWJyWRvZTX7gBDO0pi8bfyTqhEKTBNn2MvN4gAimc14tO0XClVzh1iUWJMqewoX22u4RUOr3b4MJoUMgiFvyup3gL0+n7EJhMtYrUJ1FwlzGGLCZUtgdQ8tIYz+DWfXIPWXA7rBuUu/fNxrpNqEHtagsnQ4LEquxhq5iqgRZ4/BpwRi1Lp6tcNDCFeG80CFEcKpQv4nPXSHuwPfb3hGZAxy0pnB/BKJ0Uo6azvGb0xTL7P65y25Yjaw==
-    '';
-  };
-  odin-ed25519 = {
-    hostNames = ["odin.asgard.yggdrasil"];
-    publicKey = ''
-      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0bDMyJFg6VNgiTebP9z9LJ90scGGdILK0qpNFQhMfc
-    '';
-  };
-  hel-rsa = {
-    hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"];
-    publicKey = ''
-      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPpiWp5AN75fV/P+oLLExOkJ933dr4r0tE8deUjSB8QlNWoNSxg0WP8noUri52TkbYV1JZh+r6o4XGZrsXHdk2+ggLYDvIbNyUumsTGI2stexuw9oow9OMys1+f1Ld+szyYnO6dA+zXAjHXS129r3PtSMc9ELra+W5tARFdmcBQt0v/pgSkz1acJQvv8286ioyxUfQ08JUBD2Nb6dVCtdCFXZkivFpKV5mNDOsDsNwBJQda6o5SUuglIEzvP1Q2HPlBAV3pozvmlzUgZrY3hiEkge4fmqm71ZCbCNv61FYKo1LgtMDGLHyxT72lmESR7yS5s1O/nPHCAOeWns40h2ykOD1bfWYFdgH9oEOYbCxGTryfSAJn5qS1FP7serBcjW/lCTfYBNXXtuOHSBLDKfmNb5WgQKPgjSWrVOtk8qWHP2DOgF0C1vL4qr2CjE2LvwxwfC6PaMGb7TJHFeQTPobVgH6m9BGTsVciRIo4PmfYQ9xLD9rcvYd7SDk5KFantphmPgZrQ4PkMik/9Hx3+Mg2L4SuLtXNxmMmTZgXGv5N+NbSkOXNxmjjM0fVSX/d2FOmY51XvLIIx0C+kwiv4FfqI3jbmqvf6mJ7Ev6peoTYgZ3yqeLkC8MOelC77CKfeO+pgGiPR/dEPPCoFHq1kgaOa0dl8Iuzgo/Z0ZGUtux1Q==
-    '';
-  };
-  hel-ed25519 = {
-    hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"];
-    publicKey = ''
-      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVmpfhUPgjsWyvomTbRJh5qkIC5WzdgdatqfRTd1EcK
-    '';
-  };
-  sif-rsa = {
-    hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
-    publicKey = ''
-      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp9w==
-    '';
-  };
-  sif-ed25519 = {
-    hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
-    publicKey = ''
-      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+v
-    '';
  };
 }
diff --git a/krl.bin b/krl.bin
new file mode 100644
index 00000000..3f04c994
--- /dev/null
+++ b/krl.bin
Binary files differ
diff --git a/ymir.nix b/ymir.nix
index df306121..8f01ad6b 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -212,9 +212,20 @@ in rec {
    challengeResponseAuthentication = false;
    extraConfig = ''
      AllowGroups ssh
+      HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+      HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+      RevokedKeys /etc/ssh/krl.bin
    '';
    knownHosts = import ./knownHosts.nix;
+    hostKeys = [
+      { bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
+      { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
  };
+  environment.etc."ssh/ssh_host_rsa_key-cert.pub".source = ./ymir/rsa-cert.pub;
+  environment.etc."ssh/ssh_host_ed25519_key-cert.pub".source = ./ymir/ed25519-cert.pub;
+  environment.etc."ssh/krl.bin".source = ./krl.bin;
  users.groups."ssh" = {
    members = ["gitolite" "uucp" "root"];
  };
diff --git a/ymir/ed25519-cert.pub b/ymir/ed25519-cert.pub
new file mode 100644
index 00000000..83ec913e
--- /dev/null
+++ b/ymir/ed25519-cert.pub
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICUd5T+t6Giaq52opNtwkdA/h6DDVMV5mSAwmUY2U9cTAAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZDQAAAAGIHpkUAAAACAAAAJGQ5NmYwYWY1LTBjYjUtNDM1Zi1hYTFlLTc5ZjFhMjVlOTcyMAAAABUAAAAReW1pci55Z2dkcmFzaWwubGkAAAAAYgZUuwAAAABjsL7wAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAtbex2pqbUOPVV7UmckbGjro2uSJ9TdFPWG3Yrus7c4gAAAFMAAAALc3NoLWVkMjU1MTkAAABAorc2x49gJECkdwOjFrpSVKGpG/eapaFTFjNE0KIt+BUidQn821ort2lV+ycdZKO8XvWsFjzfCvdIMakpnDB9BA== ymir/ed25519.pub
diff --git a/ymir/rsa-cert.pub b/ymir/rsa-cert.pub
new file mode 100644
index 00000000..f2d60979
--- /dev/null
+++ b/ymir/rsa-cert.pub
@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg9cWaz1e9vLZV008c3egsA3xB56YLxvExYAzLBKN/nSoAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWp0AAAABiB6ZGAAAAAgAAACRiZTBlYjg0MS0xNmEyLTQwY2MtYjQwNy02Nzc3MzVmZTg1ODkAAAAVAAAAEXltaXIueWdnZHJhc2lsLmxpAAAAAGIGVLwAAAAAY7C+8AAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgLW3sdqam1Dj1Ve1JnJGxo66NrkifU3RT1ht2K7rO3OIAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMHTfT5Y+8BLsPFfhsQwGbyrd6ufCph8WGTTH8e8D/FhFApIjPCnCuZJVOXrmdRAzc7BXFnJBBOX34Z7o8Y30wA= ymir/rsa.pub
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-12 14:06:09 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-12 14:06:09 +0100
commit	ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf (patch)
tree	b18bd1ce1434609ab4476a508e3da413623bdaea
parent	7dfdf54de426b995173cec67b40451f0b83d264a (diff)
download	nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.gz nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.bz2 nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.xz nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.zip

diff --git a/knownHosts.nix b/knownHosts.nix index 720a4932..96a104ba 100644 --- a/knownHosts.nix +++ b/knownHosts.nix
@@ -1,50 +1,6 @@
1	{	1	{
2	ymir-rsa = {	2	"*.yggdrasil" = {
3	hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];	3	extraHostNames = ["*.yggdrasil.li"];
4	publicKey = ''	4	publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1t7HamptQ49VXtSZyRsaOuja5In1N0U9Ybdiu6ztzi ca.yggdrasil";
5	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
6	'';
7	};
8	ymir-ed25519 = {
9	hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
10	publicKey = ''
11	ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
12	'';
13	};
14	odin-rsa = {
15	hostNames = ["odin.asgard.yggdrasil"];
16	publicKey = ''
17	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5tCkUoo1V97e7bdAnOvxYXgJ8i+PrECUzbXW8Xwy/ir6a/cl3Lm+RMV/h29sVVT56bb0TtZ/JrYyYyWpy/g8FDGgm06mHnxGjjCE7FQpMRk/QoE7JKvqB4mTyMH6lE9lfuLiPI0S7JXrx0xiSJS0Z989Xmu8CN0pA4qyNmMVvAm+zSgxA1KLVcOWUw9mbmVInm1JB+l/psmYcdne4fjWGOn8awY0KGSB5W8xiThjoJe2a8BrW5g8xYS7mLQeKvCkVmukvMu9rUPdCqXp5QPBD8l7tl2jnrefSTRozysfZGX2aRy+a1xXZ/LLBimM/DQ2vDeXYGmE0saCTAgOm4u6Cx6j+SHq64koLaWfHygVeyvCnD0ttKhVzBkbsqzyootg/C1uNaMnavkfUVgSZigyHvfvgGLq39awQ3Zxgxui7vhPy0Mjf2/3EWJyWRvZTX7gBDO0pi8bfyTqhEKTBNn2MvN4gAimc14tO0XClVzh1iUWJMqewoX22u4RUOr3b4MJoUMgiFvyup3gL0+n7EJhMtYrUJ1FwlzGGLCZUtgdQ8tIYz+DWfXIPWXA7rBuUu/fNxrpNqEHtagsnQ4LEquxhq5iqgRZ4/BpwRi1Lp6tcNDCFeG80CFEcKpQv4nPXSHuwPfb3hGZAxy0pnB/BKJ0Uo6azvGb0xTL7P65y25Yjaw==
18	'';
19	};
20	odin-ed25519 = {
21	hostNames = ["odin.asgard.yggdrasil"];
22	publicKey = ''
23	ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0bDMyJFg6VNgiTebP9z9LJ90scGGdILK0qpNFQhMfc
24	'';
25	};
26	hel-rsa = {
27	hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"];
28	publicKey = ''
29	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPpiWp5AN75fV/P+oLLExOkJ933dr4r0tE8deUjSB8QlNWoNSxg0WP8noUri52TkbYV1JZh+r6o4XGZrsXHdk2+ggLYDvIbNyUumsTGI2stexuw9oow9OMys1+f1Ld+szyYnO6dA+zXAjHXS129r3PtSMc9ELra+W5tARFdmcBQt0v/pgSkz1acJQvv8286ioyxUfQ08JUBD2Nb6dVCtdCFXZkivFpKV5mNDOsDsNwBJQda6o5SUuglIEzvP1Q2HPlBAV3pozvmlzUgZrY3hiEkge4fmqm71ZCbCNv61FYKo1LgtMDGLHyxT72lmESR7yS5s1O/nPHCAOeWns40h2ykOD1bfWYFdgH9oEOYbCxGTryfSAJn5qS1FP7serBcjW/lCTfYBNXXtuOHSBLDKfmNb5WgQKPgjSWrVOtk8qWHP2DOgF0C1vL4qr2CjE2LvwxwfC6PaMGb7TJHFeQTPobVgH6m9BGTsVciRIo4PmfYQ9xLD9rcvYd7SDk5KFantphmPgZrQ4PkMik/9Hx3+Mg2L4SuLtXNxmMmTZgXGv5N+NbSkOXNxmjjM0fVSX/d2FOmY51XvLIIx0C+kwiv4FfqI3jbmqvf6mJ7Ev6peoTYgZ3yqeLkC8MOelC77CKfeO+pgGiPR/dEPPCoFHq1kgaOa0dl8Iuzgo/Z0ZGUtux1Q==
30	'';
31	};
32	hel-ed25519 = {
33	hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"];
34	publicKey = ''
35	ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVmpfhUPgjsWyvomTbRJh5qkIC5WzdgdatqfRTd1EcK
36	'';
37	};
38	sif-rsa = {
39	hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
40	publicKey = ''
41	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp9w==
42	'';
43	};
44	sif-ed25519 = {
45	hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
46	publicKey = ''
47	ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+v
48	'';
49	};	5	};
50	}	6	}


diff --git a/krl.bin b/krl.bin new file mode 100644 index 00000000..3f04c994 --- /dev/null +++ b/krl.bin
Binary files differ


diff --git a/ymir.nix b/ymir.nix index df306121..8f01ad6b 100644 --- a/ymir.nix +++ b/ymir.nix
@@ -212,9 +212,20 @@ in rec {
212	challengeResponseAuthentication = false;	212	challengeResponseAuthentication = false;
213	extraConfig = ''	213	extraConfig = ''
214	AllowGroups ssh	214	AllowGroups ssh
		215
		216	HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
		217	HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
		218	RevokedKeys /etc/ssh/krl.bin
215	'';	219	'';
216	knownHosts = import ./knownHosts.nix;	220	knownHosts = import ./knownHosts.nix;
		221	hostKeys = [
		222	{ bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
		223	{ path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
		224	];
217	};	225	};
		226	environment.etc."ssh/ssh_host_rsa_key-cert.pub".source = ./ymir/rsa-cert.pub;
		227	environment.etc."ssh/ssh_host_ed25519_key-cert.pub".source = ./ymir/ed25519-cert.pub;
		228	environment.etc."ssh/krl.bin".source = ./krl.bin;
218	users.groups."ssh" = {	229	users.groups."ssh" = {
219	members = ["gitolite" "uucp" "root"];	230	members = ["gitolite" "uucp" "root"];
220	};	231	};


diff --git a/ymir/ed25519-cert.pub b/ymir/ed25519-cert.pub new file mode 100644 index 00000000..83ec913e --- /dev/null +++ b/ymir/ed25519-cert.pub
@@ -0,0 +1 @@
			ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICUd5T+t6Giaq52opNtwkdA/h6DDVMV5mSAwmUY2U9cTAAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZDQAAAAGIHpkUAAAACAAAAJGQ5NmYwYWY1LTBjYjUtNDM1Zi1hYTFlLTc5ZjFhMjVlOTcyMAAAABUAAAAReW1pci55Z2dkcmFzaWwubGkAAAAAYgZUuwAAAABjsL7wAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAtbex2pqbUOPVV7UmckbGjro2uSJ9TdFPWG3Yrus7c4gAAAFMAAAALc3NoLWVkMjU1MTkAAABAorc2x49gJECkdwOjFrpSVKGpG/eapaFTFjNE0KIt+BUidQn821ort2lV+ycdZKO8XvWsFjzfCvdIMakpnDB9BA== ymir/ed25519.pub


diff --git a/ymir/rsa-cert.pub b/ymir/rsa-cert.pub new file mode 100644 index 00000000..f2d60979 --- /dev/null +++ b/ymir/rsa-cert.pub
@@ -0,0 +1 @@
			ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg9cWaz1e9vLZV008c3egsA3xB56YLxvExYAzLBKN/nSoAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWp0AAAABiB6ZGAAAAAgAAACRiZTBlYjg0MS0xNmEyLTQwY2MtYjQwNy02Nzc3MzVmZTg1ODkAAAAVAAAAEXltaXIueWdnZHJhc2lsLmxpAAAAAGIGVLwAAAAAY7C+8AAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgLW3sdqam1Dj1Ve1JnJGxo66NrkifU3RT1ht2K7rO3OIAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMHTfT5Y+8BLsPFfhsQwGbyrd6ufCph8WGTTH8e8D/FhFApIjPCnCuZJVOXrmdRAzc7BXFnJBBOX34Z7o8Y30wA= ymir/rsa.pub