alexlebens/site-documentation
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases 12 Activity

feat: documentation on vault ssh

Browse Source
This commit is contained in:
Alex Lebens
2026-03-31 16:27:34 -05:00
parent 5be099fe02
commit 648fb319b1
1 changed files with 105 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
src/content/docs/guides/vault-ssh-ca.md Normal file
View File

@@ -0,0 +1,105 @@
---
title: Vault SSH Certificate Authority
description: Steps followed to enable using Vault as a CA for ssh login
---
# Setup
[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing)
I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance.
## Enable the SSH CA
I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints.
Start with enabling the mount.
```bash
vault secrets enable -path=ssh-client-signer ssh
```
Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
```bash
ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
```
Add the above signing key.
```bash
vault write ssh-client-signer/config/ca private_key="..." public_key="..."
```
## Create Client Role and Key
Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI.
```bash
vault write ssh-client-signer/roles/alexlebens -<<"EOH"
{
"algorithm_signer": "rsa-sha2-256",
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": {
"permit-pty": ""
},
"key_type": "ca",
"default_user": "alexlebens",
"ttl": "30m0s"
}
EOH
```
## Create Client Key
Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh.
```bash
ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
```
## Configure SSH to use the Key and Cert
SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above.
```
Host ps08rp
Hostname 10.232.1.51
User alexlebens
IdentityFile ~/.ssh/id_rsa_host
```
# Operations
## Prepare Target Host
Download the public cert from the endpoint.
```bash
curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key
```
Then add that file to the sshd config.
```
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
```
### Automation
This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future.
## Renew Client Certificate
Sign the client cert, on your machine, with the Vault CA.
```bash
vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
```
I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh.
```
# Vault
export VAULT_ADDR="https://vault.alexlebens.net"
alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
```
### View Cert Details
For troubleshooting purposes or clafification use the follow to inspect the cert.
```bash
ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub
```