vault SSH
April 16, 2022
Vault SSH Secrets Engine
Enable the ssh engine:
$ vault secrets enable ssh
or chosse a path:
$ vault secrets enable -path=ssh-client-signer ssh
Configure Vault with a CA for signing client keys using the /config/ca endpoint:
$ vault write ssh/config/ca generate_signing_key=true
Get the public key:
$ curl -s $VAULT_ADDR/v1/ssh/public_key
Copy the key to your servers and add this to sshd_config:
TrustedUserCAKeys /etc/ssh/truasted-ca.pem
AuthorizedKeysFile /dev/null
PasswordAuthentication no
ChallengeResponseAuthentication no
Create a role:
$ vault write ssh/roles/default -<<"EOH"
{
"algorithm_signer": "rsa-sha2-256",
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding,permit-agent-forwarding",
"default_extensions": [
{
"permit-pty": "",
"permit-port-forwarding": "",
"permit-agent-forwarding": ""
}
],
"key_type": "ca",
"default_user": "devops",
"ttl": "30m0s"
}
EOH
Ask Vault to sign your public key.
$ vault write -field=signed_key ssh/sign/default public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub
For a specific user:
$ vault write -field=signed_key ssh/sign/default public_key=@$HOME/.ssh/id_rsa.pub valid_principals=nbari > ~/.ssh/id_rsa-cert.pub
If you are saving the certificate directly beside your SSH keypair, suffix the name with -cert.pub (~/.ssh/id_rsa-cert.pub). With this naming scheme, OpenSSH will automatically use it during authentication.
Examine the signed certificate:
$ ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub
Test:
$ ssh -i id_rsa_cert.pub -i id_rsa username@host