SSH access

The established mechanism on how to update the SSH keys on debian.org machines is documented on db.debian.org. This page documents the use of Security Keys and SSH certificates.

Setting up your Security Key

TODO

Getting an SSH certificate for debian.org machines

In some cases it is useful to get a short-lived SSH certificate that allows to authenticate to debian.org machines without touch. This is primarily aimed at members of the DSA team, however other users should also be able to use this mechanism.

NOTE: This mechanism will only work if you have configured a Security Key-backed SSH key on your account (i.e. keytype sk-*).

Our SSH CA currently runs as user sshca on draghi.debian.org. The following configuration should get you started:

# Install the client
$ sudo apt install golang-go
$ go install github.com/pkern/sshca@latest
# Configure for debian.org
$ cat <<EOF > ~/.sshca.toml
ca_host = 'draghi.debian.org'
ca_user = 'sshca'
domain = 'debian'
lifetime = '19h0m0s'
# Adjust this if your local username does not match your debian.org username.
# Members of DSA can add 'root' here.
principals = ['$USER']
EOF
$ cat <<EOF >> ~/.ssh/config
# Alternatively you can use na.ssh.debian.org.
Host *.debian.org !eu.ssh.debian.org !salsa.debian.org
        ProxyJump eu.ssh.debian.org

Host *.debian.org
        IdentitiesOnly yes
        IdentityFile /run/user/$(id -u)/sshca/example
	# Adjust this if your local SK keyfile lives elsewhere
        IdentityFile ~/.ssh/id_ecdsa_sk
EOF

With this, you should be able to request a certificate. Note that this will require two(!) touches, as the CA host is only reachable through a jumphost.

# You might want to add $HOME/go/bin to your PATH.
$ ~/go/bin/sshca get
Identity added: /run/user/1000/sshca/debian (SSHCA/debian authentication key (2024-11-16 13:06:37.543816765))
Certificate added: /run/user/1000/sshca/debian-cert.pub (pkern@draghi)