alexlebens/site-documentation
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases 33 Activity

feat: move guides
test-build / build (push) Failing after 36s
Details
test-build / guarddog (push) Successful in 46s
Details

Browse Source
This commit is contained in:
Alex Lebens
2026-04-27 16:56:50 -05:00
parent 78da2d0e42
commit 33e887348b
5 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/content/docs/guides/OpenBao/bao-ssh-ca.mdx
+109
View File
@@ -0,0 +1,109 @@
---
title: OpenBao SSH Certificate Authority
description: Steps followed to enable using OpenBao as a CA for ssh login
hero:
tagline: Steps followed for the v1.12.0 upgrade process
image:
file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp
---
# Setup
[Reference OpenBao Documentation](https://openbao.org/docs/secrets/ssh/signed-ssh-certificates/)
I have set the documenation to use my own defaults and configuration. This also assumes a running and active OpenBao instance.
## Enable the SSH CA
I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints.
Start with enabling the mount.
```bash
bao secrets enable -path=ssh-client-signer ssh
```
Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
```bash
ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
```
Add the above signing key.
```bash
bao write ssh-client-signer/config/ca private_key="..." public_key="..."
```
## Create Client Role and Key
Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the OpenBao UI.
```bash
bao write ssh-client-signer/roles/alexlebens -<<"EOH"
{
"algorithm_signer": "rsa-sha2-256",
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": {
"permit-pty": ""
},
"key_type": "ca",
"default_user": "alexlebens",
"ttl": "30m0s"
}
EOH
```
## Create Client Key
Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh.
```bash
ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
```
## Configure SSH to use the Key and Cert
SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by OpenBao as the User and set the IdentityFile to the Key as generated above.
```
Host ps08rp
Hostname 10.232.1.51
User alexlebens
IdentityFile ~/.ssh/id_rsa_host
```
# Operations
## Prepare Target Host
Download the public cert from the endpoint.
```bash
curl -o /etc/ssh/trusted-user-ca-keys.pem https://bao.alexlebens.net/v1/ssh-client-signer/public_key
```
Then add that file to the sshd config.
```
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
```
### Automation
This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future.
## Renew Client Certificate
Sign the client cert, on your machine, with the OpenBao CA.
```bash
bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
```
I added the following to my .zshrc to make this easier. So now I just run "bao-renew" before I need to ssh.
```
# OpenBao
export BAO_ADDR="https://bao.alexlebens.net"
alias bao-renew='bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
```
### View Cert Details
For troubleshooting purposes or clafification use the follow to inspect the cert.
```bash
ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub
```