From 648fb319b192ecd7826fe03599f7a0ee55a419ea Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Tue, 31 Mar 2026 16:27:34 -0500 Subject: [PATCH] feat: documentation on vault ssh --- src/content/docs/guides/vault-ssh-ca.md | 105 ++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 src/content/docs/guides/vault-ssh-ca.md diff --git a/src/content/docs/guides/vault-ssh-ca.md b/src/content/docs/guides/vault-ssh-ca.md new file mode 100644 index 0000000..5181c2a --- /dev/null +++ b/src/content/docs/guides/vault-ssh-ca.md @@ -0,0 +1,105 @@ +--- +title: Vault SSH Certificate Authority +description: Steps followed to enable using Vault as a CA for ssh login +--- + +# Setup + +[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing) + +I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance. + +## Enable the SSH CA + +I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints. + +Start with enabling the mount. +```bash +vault secrets enable -path=ssh-client-signer ssh +``` + +Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to. +```bash +ssh-keygen -t rsa -C "alexanderlebens@gmail.com" +``` + +Add the above signing key. +```bash +vault write ssh-client-signer/config/ca private_key="..." public_key="..." +``` + +## Create Client Role and Key + +Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI. +```bash +vault write ssh-client-signer/roles/alexlebens -<<"EOH" +{ + "algorithm_signer": "rsa-sha2-256", + "allow_user_certificates": true, + "allowed_users": "*", + "allowed_extensions": "permit-pty,permit-port-forwarding", + "default_extensions": { + "permit-pty": "" + }, + "key_type": "ca", + "default_user": "alexlebens", + "ttl": "30m0s" +} +EOH +``` + +## Create Client Key + +Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh. +```bash +ssh-keygen -t rsa -C "alexanderlebens@gmail.com" +``` + +## Configure SSH to use the Key and Cert + +SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above. +``` +Host ps08rp + Hostname 10.232.1.51 + User alexlebens + IdentityFile ~/.ssh/id_rsa_host +``` + +# Operations + +## Prepare Target Host + +Download the public cert from the endpoint. +```bash +curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key +``` + +Then add that file to the sshd config. +``` +TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem +``` + +### Automation + +This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future. + +## Renew Client Certificate + +Sign the client cert, on your machine, with the Vault CA. +```bash +vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub +``` + +I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh. +``` +# Vault +export VAULT_ADDR="https://vault.alexlebens.net" +alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' +``` + +### View Cert Details + +For troubleshooting purposes or clafification use the follow to inspect the cert. +```bash +ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub +``` \ No newline at end of file