Private CA for SSH certificates

[Harshit-RV]

This PR implements a private Certificate Authority (CA) for generating SSH certificates. It enables you to generate SSH host and user certificates for secure communication.

Private CA:

• Deployed on Lambda
• Supports both User and Host SSH certificates
• Verifies client's identity by calling get-caller-identity using the aws-auth-headers received from client
• For Host certs, it accepts AWS_EC2_REGION and gets the public IP by calling DescribeInstances and adds it as principal in the cert
• Deployment scripts:
  • deploy-server-on-lambda.sh
  • update-server-on-lambda.sh

Client

• generate-certificate-curl.sh file for clients to run and get a certificate.

• This script also does all the setup required for both users and host.

• For Host (needs sudo access):

  • Saves the Cert and user_ca.pub in HOST_SSH_DIR
  • Adds a reference to cert and user_ca.pub file as HostCertificate and TrustedUserCAKeys respectively in sshd_config

• For User:

  • Adds public key of CA to known_hosts with @cert-authority prefix
  • Saves cert to USER_SSH_DIR

• Client must specify which ENVIRONMENT they’re using (host → EC2 or client → user machines) which determines how the script gets their AWS credentials to prepare auth headers

Todo:

• Run the create-role-action script in action/setup and update AWS_PRIVATE_CA_LAMBDA_UPDATE_ROLE secret with the role ARN
• Add a AWS_REGION env variable in GitHub environment