--- title: Vault SSH Certificate Authority description: Steps followed to enable using Vault as a CA for ssh login --- # Setup [Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing) I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance. ## Enable the SSH CA I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints. Start with enabling the mount. ```bash vault secrets enable -path=ssh-client-signer ssh ``` Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to. ```bash ssh-keygen -t rsa -C "alexanderlebens@gmail.com" ``` Add the above signing key. ```bash vault write ssh-client-signer/config/ca private_key="..." public_key="..." ``` ## Create Client Role and Key Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI. ```bash vault write ssh-client-signer/roles/alexlebens -<<"EOH" { "algorithm_signer": "rsa-sha2-256", "allow_user_certificates": true, "allowed_users": "*", "allowed_extensions": "permit-pty,permit-port-forwarding", "default_extensions": { "permit-pty": "" }, "key_type": "ca", "default_user": "alexlebens", "ttl": "30m0s" } EOH ``` ## Create Client Key Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh. ```bash ssh-keygen -t rsa -C "alexanderlebens@gmail.com" ``` ## Configure SSH to use the Key and Cert SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above. ``` Host ps08rp Hostname 10.232.1.51 User alexlebens IdentityFile ~/.ssh/id_rsa_host ``` # Operations ## Prepare Target Host Download the public cert from the endpoint. ```bash curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key ``` Then add that file to the sshd config. ``` TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem ``` ### Automation This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future. ## Renew Client Certificate Sign the client cert, on your machine, with the Vault CA. ```bash vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub ``` I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh. ``` # Vault export VAULT_ADDR="https://vault.alexlebens.net" alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' ``` ### View Cert Details For troubleshooting purposes or clafification use the follow to inspect the cert. ```bash ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub ```