coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
8fdc362216c5859b410fbc5a609a0cd8e1ff8f7a
gatehouse-api/etc/ssh_ca.conf
T

115 lines
3.1 KiB
Plaintext
Raw Blame History

[default]
# Certificate validity period (in hours)
# Default: 1 hour
cert_validity_hours=1
# Maximum certificate validity allowed (in hours)
# Default: 24 hours
# Prevents users from requesting certificates valid longer than this
max_cert_validity_hours=24
# Certificate Request Limits
# Maximum number of certificates per user
max_certs_per_user=100
# Certificate revocation list (CRL) configuration
crl_enabled=true
# CRL endpoint URL - set to your domain where CRL is served
crl_endpoint=https://ca.example.com/crl
# CRL refresh interval (in hours)
crl_refresh_hours=24
# CA Key Configuration
# Default key type for new CAs (ed25519, rsa, ecdsa)
default_key_type=ed25519
# RSA key size (if using RSA)
rsa_key_bits=4096
# Private key encryption
# Method: kms (AWS Key Management Service) or local (for development only)
private_key_encryption=kms
# AWS KMS Key ID (only used if private_key_encryption=kms)
aws_kms_key_id=${SSH_CA_KMS_KEY_ID}
# SSH Certificate Extensions
# Default extensions to add to certificates
extensions_enabled=true
extensions=permit-X11-forwarding,permit-agent-forwarding,permit-pty,permit-port-forwarding,permit-user-rc
# Critical Options
# Critical options to add to certificates (rarely needed)
critical_options_enabled=false
# Certificate Field Limits
# Maximum number of principals per certificate (SSH limitation is 256)
max_principals_per_cert=256
# Maximum length for key_id field
max_key_id_length=255
# Logging Configuration
# Log level for SSH CA operations (DEBUG, INFO, WARNING, ERROR)
log_level=INFO
# Audit Configuration
# Log all certificate signing operations
audit_enabled=true
# Security Configuration
# Require SSH key verification before issuing certificates
require_key_verification=true
# Verification challenge max age (in hours)
verification_challenge_max_age=24
# Rate limiting for certificate signing
# Max certificates per minute per user
rate_limit_certs_per_minute=5
# Request timeout (in seconds)
request_timeout=30
# Cleanup Configuration
# Automatically delete unverified SSH keys after this many days
auto_delete_unverified_days=30
# Archive expired certificates after this many days
archive_expired_days=365
# CLI OAuth Configuration (for secuird-cli.py compatibility)
# OAuth token endpoint for CLI clients
oauth_token_endpoint=/api/v1/oauth2/token
# OAuth userinfo endpoint for CLI clients
oauth_userinfo_endpoint=/api/v1/oauth2/userinfo
[development]
# Override settings for development environment
private_key_encryption=local
ca_key_path=/home/james/cory/secuird/certs/ca-users
log_level=DEBUG
cert_validity_hours=24
max_cert_validity_hours=720
rate_limit_certs_per_minute=100
require_key_verification=false
[production]
# Override settings for production environment
private_key_encryption=kms
log_level=WARNING
cert_validity_hours=1
max_cert_validity_hours=24
rate_limit_certs_per_minute=5
require_key_verification=true
[testing]
# Override settings for testing environment
private_key_encryption=local
log_level=DEBUG
cert_validity_hours=1
max_cert_validity_hours=24
rate_limit_certs_per_minute=100
require_key_verification=true
audit_enabled=false
Reference in New Issue View Git Blame Copy Permalink