Sharkey 是OpenSSH管理证书使用的服务。
![say no to TOFU](http://static.oschina.net/uploads/img/201607/15180505_HZjq.png)
Sharkey 分为客户端组件和服务端组件,服务端负责发布已签署的主机证书,客户端负责在机器上安装主机证书。
服务端使用示例:
<pre class="brush:shell;toolbar: true; auto-links: false;">usage: sharkey-server --config=CONFIG [<flags>]
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--config=CONFIG Path to yaml config file for setup
--suffix=SUFFIX Suffix of hostnames that will be supplied to server.
--version Show application version.</pre>
服务端配置示例:
<pre class="brush:xml;toolbar: true; auto-links: false;"># SQLite database
# ---
db:
address: /path/to/sharkey.db
type: sqlite
# MySQL database
# ---
# db:
# username: root
# password: password
# address: hostname:port
# schema: ssh_ca
# type: mysql
# tls: # MySQL TLS config (optional)
# ca: /path/to/mysql-ca-bundle.pem
# cert: /path/to/mysql-client-cert.pem # MySQL client cert
# key: /path/to/mysql-client-cert-key.pem # MySQL client cert key
# min_version: 1.2 # Min. TLS version
# Server listening address
listen_addr: "0.0.0.0:8080"
# TLS config for serving requests
# ---
tls:
ca: /path/to/ca-bundle.pem
cert: /path/to/server-certificate.pem
key: /path/to/server-certificate-key.pem
min_version: 1.2 # Min. TLS version (optional)
# Signing key (from ssh-keygen)
signing_key: /path/to/ca-signing-key
# Lifetime/validity duration for generated host certificates
cert_duration: 168h</pre>
客户端使用示例:
<pre class="brush:xml;toolbar: true; auto-links: false;">usage: sharkey-client --config=CONFIG [<flags>]
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--config=CONFIG Path to yaml config file for setup
--version Show application version.</pre>
客户端配置示例:
<pre class="brush:xml;toolbar: true; auto-links: false;"># Server address
request_addr: "https://sharkey-server.example:8080"
# TLS config for making requests
# ---
tls:
ca: /path/to/ca-bundle.pem
cert: /path/to/client-certificate.pem
key: /path/to/client-certificate-key.pem
# OpenSSH host key (unsigned)
host_key: /etc/ssh/ssh_host_rsa_key.pub
# Where to install the signed host certificate
signed_cert: /etc/ssh/ssh_host_rsa_key_signed.pub
# Where to install the known_hosts file
known_hosts: /etc/ssh/known_hosts
# How often to refresh/request new certificate
sleep: "24h"</pre>