Vault SSH Secrets Engine

Enable the ssh engine:

$ vault secrets enable ssh

or chosse a path:

$ vault secrets enable -path=ssh-client-signer ssh

Configure Vault with a CA for signing client keys using the /config/ca endpoint:

$ vault write ssh/config/ca generate_signing_key=true

Get the public key:

$ curl -s $VAULT_ADDR/v1/ssh/public_key

Copy the key to your servers and add this to sshd_config:

TrustedUserCAKeys /etc/ssh/truasted-ca.pem
AuthorizedKeysFile /dev/null
PasswordAuthentication no
ChallengeResponseAuthentication no

Create a role:

$ vault write ssh/roles/default -<<"EOH"
{
  "algorithm_signer": "rsa-sha2-256",
  "allow_user_certificates": true,
  "allowed_users": "*",
  "allowed_extensions": "permit-pty,permit-port-forwarding,permit-agent-forwarding",
  "default_extensions": [
    {
      "permit-pty": "",
      "permit-port-forwarding": "",
      "permit-agent-forwarding": ""
    }
  ],
  "key_type": "ca",
  "default_user": "devops",
  "ttl": "30m0s"
}
EOH

Ask Vault to sign your public key.

$ vault write -field=signed_key ssh/sign/default public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub

For a specific user:

$ vault write -field=signed_key ssh/sign/default public_key=@$HOME/.ssh/id_rsa.pub valid_principals=nbari > ~/.ssh/id_rsa-cert.pub

If you are saving the certificate directly beside your SSH keypair, suffix the name with -cert.pub (~/.ssh/id_rsa-cert.pub). With this naming scheme, OpenSSH will automatically use it during authentication.

Examine the signed certificate:

$ ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub

Test:

$ ssh -i id_rsa_cert.pub -i id_rsa username@host