3.3 KiB
title, description
| title | description |
|---|---|
| Vault SSH Certificate Authority | Steps followed to enable using Vault as a CA for ssh login |
Setup
I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance.
Enable the SSH CA
I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints.
Start with enabling the mount.
vault secrets enable -path=ssh-client-signer ssh
Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
Add the above signing key.
vault write ssh-client-signer/config/ca private_key="..." public_key="..."
Create Client Role and Key
Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI.
vault write ssh-client-signer/roles/alexlebens -<<"EOH"
{
"algorithm_signer": "rsa-sha2-256",
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": {
"permit-pty": ""
},
"key_type": "ca",
"default_user": "alexlebens",
"ttl": "30m0s"
}
EOH
Create Client Key
Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh.
ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
Configure SSH to use the Key and Cert
SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above.
Host ps08rp
Hostname 10.232.1.51
User alexlebens
IdentityFile ~/.ssh/id_rsa_host
Operations
Prepare Target Host
Download the public cert from the endpoint.
curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key
Then add that file to the sshd config.
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
Automation
This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future.
Renew Client Certificate
Sign the client cert, on your machine, with the Vault CA.
vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh.
# Vault
export VAULT_ADDR="https://vault.alexlebens.net"
alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
View Cert Details
For troubleshooting purposes or clafification use the follow to inspect the cert.
ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub