====== Vault ====== ===== vault login ===== Configure access: $ export VAULT_TOKEN="s.nJdQXIaf61qygUCcpa84b1f" $ export VAULT_ADDR='http://18.234.17.11:8200' Check: $ vault status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.3 Cluster Name vault-cluster-1096f75c Cluster ID fa1e727e-0f0a-d3bc-3f6d-ac824d4d629a HA Enabled true HA Cluster https://172.31.32.23:444 HA Mode active Login: $ vault login $VAULT_TOKEN Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.nJdQXIaf61qygUCcpa84b1f token_accessor lI5QsvD6w6AoHiSt0InO8FwD token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"] ===== Key=Value Store ===== ==== Interfaz local ==== docker run -d --rm \ -p 8000:8000 \ -e VAULT_URL_DEFAULT=http://18.234.17.11:8200 \ -e VAULT_AUTH_DEFAULT=TOKEN \ --name vault-ui \ djenriquez/vault-ui https://github.com/djenriquez/vault-ui ===== SSH CA Signature ===== ==== Setup from vault client ==== Enable: $ vault secrets enable -path=ssh-Team ssh Success! Enabled the ssh secrets engine at: ssh-Team/ Generate CA key $ vault write ssh-Team/config/ca generate_signing_key=true Key Value --- ----- public_key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw== Get/check public CA key $ curl $VAULT_ADDR/v1/ssh-Team/public_key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw== Create a role to sign keys. Ref: [[docs:cloud:vault:roles|Vault roles]] $ vault write ssh-Team/roles/my-role -<<"EOH" { "allow_user_certificates": true, "allowed_users": "*", "default_extensions": [ { "permit-pty": "" } ], "key_type": "ca", "default_user": "ubuntu", "ttl": "30m0s" } EOH Success! Data written to: ssh-Team/roles/my-role ==== Setup SSH server ==== Store (add) public CA key: # curl $VAULT_ADDR/v1/ssh-Team/public_key >> /etc/ssh/trusted-user-ca-keys.pem Configure ''/etc/ssh/sshd_config'' with **TrustedUserCAKeys** directive: # grep Trusted /etc/ssh/sshd_config TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem Restart service: # systemctl restart sshd.service ==== Sign key ==== Sing public SSH against role. ''public-key=@'' is required to process key file. Information is show just once. $ vault write ssh-Team/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub Key Value --- ----- serial_number 9b8ddf19103438f3 signed_key ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2Et2VydC12MDFAb3BlbnNzaC5jb20AAAAgeok98JZ/1a/Yyr9RA9KxC5uhtrVzFSeTB1j9z2+yMxEAAAADAQABAAABAQCkowdw4roqsXeTM95YXZGazbjZuO6zy/08VakcggnqDYqW7oXAaYLvtGeobdIw2X72P4pKxatBgQ1ump4kEkPIiS0LOuL4bwApoyWzAztXzQw42N6e4Qw9833f1kZf+tvv/Vg8MuThXrpjqeHKrUwrnTxzaWsENrkR3P75SK0/l6ZQqNpFq79IbWZdUP6mtJWESl/oyF5NBa/X8rs2MsMbi8lEVQ+AknlIGNMrtc5wod+PQdHZnlFw6erjQcHAqTn1AYuv0OCOekAayVmiVWJME1CQx3us8q+5ypj8xHIeO22iOwfdY8WerAhaAog1Cn8PU17UJPSeGuRElTGLZVZm43fKRAPMAAAABAAAAS3ZhdWx0LXJvb3QtZGIwN2YzMmY5MGUwYWJlM2E0NmY2MTU4MWYwOWM1MjNmMzU4MjVhNDVmMDRmNWI5NDJjNjQ4NTI2ZmUzY2YyMAAAAAsAAAAHbW9vdmVpdAAAAABdNg9vAAAAAF02FpUAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/2cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsDKgLevnNAFmaYS+GwAAAg8AAAAHc3NoLXJzYQAAAgAiFBJKD4GjBBcWyHhNzYDzYNy77RC+lT7Be6RYD7gJytskLGo0bzvZ1/jyfYzoekOyfqY2Lc+vmZceD3Re80Otq26U/5zNtV7UsmF0gPKusYjIxoWcndW4+hHzG2xM0sDt9FuT8T6iiAKBeMvWUFyj8LgwMcjbdj2zSiXEJ06z5LZqH9I8dkmo9z1N5flhIrwzAH1A0zlE8N07lPdNCEpzMenfDujGZgNRA9QpcZgCMMrg0E/pcEoL0oMQie8wxA1MIxn40pZcEsKijw378g2v81x5Fj9URjtGqj2TQv/WNK4u7G60O+vbU64RS7YhaSdGYZxQyz5lXX4vhZpCICE6suwZ4nUrPCxD1QmuBB474Nm8QWw1Ui7mQmM/+1XTxHr0EBUv7O4UuofgpOjeiWrNj54q4Jz04u8C3HvO12aVr1eqeLSD6xYgMsiz9FUaD/wjI44aFAAwRc4GyP3Hv0XdkLBa9S0J7lu8yJdOybZWk3VJQTg/MJIehvmf5BBKHeB8IXLG6hWor6aWMIQYE8V8SmbaczC2VOIOUOMyvGprtyKPuydtfvxv8nLhBpiUHv1j1XCULNuC9J6ondgl9PDwAutuN/N5ut0aZrhSLf2a4LniPNxFXhbU53I7qiKYksL2li4AbbnBFEShpuYsEgqXbQhKkLCSEuQFYH/hsg== Obtain signed certificate for a limited time: $ vault write -field=signed_key ssh-Team/sign/my-role \ public_key=@$HOME/.ssh/id_rsa.pub > .ssh/Team-signed-cert.pub Check certificate metadata $ ssh-keygen -Lf .ssh/Team-signed-cert.pub .ssh/Team-signed-cert.pub: Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:2wfzL5Dgq+Ok2FYHwnFI/NYJaRfBPW5QsZIUm/jzyA Signing CA: RSA SHA256:trvVnfmsjRRo7RCVkDIIB6dpKzOAFfS8DtIGl49A8 Key ID: "vault-root-db07f32f90e0a3a46f61581f09c523f35825a5f04f5b942c648526fe3cf20" Serial: 9590107255027846222 Valid: from 2019-07-22T16:43:08 to 2019-07-22T17:13:38 Principals: ubuntu Critical Options: (none) Extensions: permit-pty ==== Configure SSH client ==== Requited files: * $HOME/.ssh/id_rsa.pub * $HOME/.ssh/Team-signed-cert.pub Create ssh template at ''$HOME/.ssh/config'' Host myserver Hostname myserver.example.com IdentityFile ~/.ssh/Team-signed-cert.pub IdentityFile ~/.ssh/id_rsa User ubuntu Access $ ssh myserver