danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
I'm trying to set up my TrueNAS box to use SSH certificates, as described in https://smallstep.com/blog/use-ssh-certificates/. It's pretty straightforward--the step-cli utility is written in Go, so it's a single binary. Download that onto my pool, use it to bootstrap to the CA, use it to obtain a host certificate, use the GUI to configure sshd to use the host certificate.
Only problem is that, like Let's Encrypt certs (though to a much greater degree), these certs are short-lived and therefore need to be renewed frequently. It's easy enough to run
Only problem is that, like Let's Encrypt certs (though to a much greater degree), these certs are short-lived and therefore need to be renewed frequently. It's easy enough to run
step ssh renew
daily, but then I need to tell sshd to use the renewed cert--and here's the problem. Due to something in the TrueNAS design, I can't simply service sshd restart
; it tells me it isn't enabled in /etc/rc.conf. I can always killall -HUP sshd
, and that works, but seems kind of brute-force. Is there a better way to do this?