--- title: OpenBao SSH Certificate Authority description: Steps followed to enable using OpenBao as a CA for ssh login hero: tagline: Steps followed for the v1.12.0 upgrade process image: file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp --- # Setup [Reference OpenBao Documentation](https://openbao.org/docs/secrets/ssh/signed-ssh-certificates/) I have set the documentation to use my own defaults and configuration. This also assumes a running and active OpenBao instance. ## Enable the SSH CA I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints. Start with enabling the mount. ```bash bao secrets enable -path=ssh-client-signer ssh ``` Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to. ```bash ssh-keygen -t rsa -C "alexanderlebens@gmail.com" ``` Add the above signing key. ```bash bao write ssh-client-signer/config/ca private_key="..." public_key="..." ``` ## Create Client Role and Key Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the OpenBao UI. ```bash bao write ssh-client-signer/roles/alexlebens -<<"EOH" { "algorithm_signer": "rsa-sha2-256", "allow_user_certificates": true, "allowed_users": "*", "allowed_extensions": "permit-pty,permit-port-forwarding", "default_extensions": { "permit-pty": "" }, "key_type": "ca", "default_user": "alexlebens", "ttl": "30m0s" } EOH ``` ## Create Client Key Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh. ```bash ssh-keygen -t rsa -C "alexanderlebens@gmail.com" ``` ## Configure SSH to use the Key and Cert SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by OpenBao as the User and set the IdentityFile to the Key as generated above. ``` Host ps08rp Hostname 10.232.1.51 User alexlebens IdentityFile ~/.ssh/id_rsa_host ``` # Operations ## Prepare Target Host Download the public cert from the endpoint. ```bash curl -o /etc/ssh/trusted-user-ca-keys.pem https://bao.alexlebens.net/v1/ssh-client-signer/public_key ``` Then add that file to the sshd config. ``` TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem ``` ### Automation This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future. ## Renew Client Certificate Sign the client cert, on your machine, with the OpenBao CA. ```bash bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub ``` I added the following to my .zshrc to make this easier. So now I just run "bao-renew" before I need to ssh. ``` # OpenBao export BAO_ADDR="https://bao.alexlebens.net" alias bao-renew='bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' ``` ### View Cert Details For troubleshooting purposes or clarification use the follow to inspect the cert. ```bash ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub ```