SSH access
The established mechanism on how to update the SSH keys on debian.org machines is documented on db.debian.org. This page documents the use of Security Keys and SSH certificates.
Setting up your Security Key
TODO
Getting an SSH certificate for debian.org machines
In some cases it is useful to get a short-lived SSH certificate that allows to authenticate to debian.org machines without touch. This is primarily aimed at members of the DSA team, however other users should also be able to use this mechanism.
NOTE: This mechanism will only work if you have configured a Security Key-backed SSH key on your account (i.e. keytype sk-*).
Our SSH CA currently runs as user sshca on draghi.debian.org. The following configuration should get you started:
# Install the client $ sudo apt install golang-go $ go install github.com/pkern/sshca@latest # Configure for debian.org $ cat <<EOF > ~/.sshca.toml ca_host = 'draghi.debian.org' ca_user = 'sshca' domain = 'debian' lifetime = '19h0m0s' # Adjust this if your local username does not match your debian.org username. # Members of DSA can add 'root' here. principals = ['$USER'] EOF $ cat <<EOF >> ~/.ssh/config # Alternatively you can use na.ssh.debian.org. Host *.debian.org !eu.ssh.debian.org !salsa.debian.org ProxyJump eu.ssh.debian.org Host *.debian.org IdentitiesOnly yes IdentityFile /run/user/$(id -u)/sshca/example # Adjust this if your local SK keyfile lives elsewhere IdentityFile ~/.ssh/id_ecdsa_sk EOF
With this, you should be able to request a certificate. Note that this will require two(!) touches, as the CA host is only reachable through a jumphost.
# You might want to add $HOME/go/bin to your PATH. $ ~/go/bin/sshca get Identity added: /run/user/1000/sshca/debian (SSHCA/debian authentication key (2024-11-16 13:06:37.543816765)) Certificate added: /run/user/1000/sshca/debian-cert.pub (pkern@draghi)