SSH access
The established mechanism on how to update the SSH keys on debian.org machines is documented on db.debian.org. This page documents the use of Security Keys and SSH certificates.
Setting up your Security Key
TODO
Getting an SSH certificate for debian.org machines
In some cases it is useful to get a short-lived SSH certificate that allows to authenticate to debian.org machines without touch. This is primarily aimed at members of the DSA team, however other users should also be able to use this mechanism.
NOTE: This mechanism will only work if you have configured a Security Key-backed SSH key on your account (i.e. keytype sk-*).
Our SSH CA currently runs as user sshca on draghi.debian.org. The following configuration should get you started:
# Install the client
$ sudo apt install golang-go
$ go install github.com/pkern/sshca@latest
# Configure for debian.org
$ cat <<EOF > ~/.sshca.toml
ca_host = 'sshca.debian.org'
ca_user = 'sshca'
domain = 'debian'
lifetime = '19h0m0s'
# Adjust this if your local username does not match your debian.org username.
# Members of DSA can add 'root' here.
principals = ['$USER']
EOF
$ cat <<EOF >> ~/.ssh/config
# Alternatively you can use na.ssh.debian.org.
Host *.debian.org !eu.ssh.debian.org !salsa.debian.org
ProxyJump eu.ssh.debian.org
Host sshca.debian.org
IdentitiesOnly yes
# Adjust this if your local SK keyfile lives elsewhere
IdentityFile ~/.ssh/id_ecdsa_sk
Host *.debian.org
IdentitiesOnly yes
CertificateFile /run/user/1000/sshca/debian-cert.pub
IdentityFile /run/user/%i/sshca/debian
# Adjust this if your local SK keyfile lives elsewhere
IdentityFile ~/.ssh/id_ecdsa_sk
EOF
With this, you should be able to request a certificate. Note that this will require two(!) touches, as the CA host is only reachable through a jumphost.
# You might want to add $HOME/go/bin to your PATH. $ ~/go/bin/sshca get Identity added: /run/user/1000/sshca/debian (SSHCA/debian authentication key (2024-11-16 13:06:37.543816765)) Certificate added: /run/user/1000/sshca/debian-cert.pub (pkern@draghi)