====== Vault ======

===== vault login =====

Configure access:

  $ export VAULT_TOKEN="s.nJdQXIaf61qygUCcpa84b1f"
  $ export VAULT_ADDR='http://18.234.17.11:8200'

Check:

  $ vault status
  Key             Value
  ---             -----
  Seal Type       shamir
  Initialized     true
  Sealed          false
  Total Shares    5
  Threshold       3
  Version         1.1.3
  Cluster Name    vault-cluster-1096f75c
  Cluster ID      fa1e727e-0f0a-d3bc-3f6d-ac824d4d629a
  HA Enabled      true
  HA Cluster      https://172.31.32.23:444
  HA Mode         active

Login:

  $ vault login $VAULT_TOKEN
  
  Success! You are now authenticated. The token information displayed below
  is already stored in the token helper. You do NOT need to run "vault login"
  again. Future Vault requests will automatically use this token.
  
  Key                  Value
  ---                  -----
  token                s.nJdQXIaf61qygUCcpa84b1f
  token_accessor       lI5QsvD6w6AoHiSt0InO8FwD
  token_duration       ∞
  token_renewable      false
  token_policies       ["root"]
  identity_policies    []
  policies             ["root"]

===== Key=Value Store =====

==== Interfaz local ====

  docker run -d --rm \
  -p 8000:8000 \
  -e VAULT_URL_DEFAULT=http://18.234.17.11:8200 \
  -e VAULT_AUTH_DEFAULT=TOKEN \
  --name vault-ui \
  djenriquez/vault-ui

https://github.com/djenriquez/vault-ui



===== SSH CA Signature =====

==== Setup from vault client ====

Enable:

  $ vault secrets enable -path=ssh-Team ssh
  Success! Enabled the ssh secrets engine at: ssh-Team/

Generate CA key

  $ vault write ssh-Team/config/ca generate_signing_key=true
  Key           Value
  ---           -----
  public_key    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw==

Get/check public CA key

  $ curl $VAULT_ADDR/v1/ssh-Team/public_key
  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw==

Create a role to sign keys. Ref: [[docs:cloud:vault:roles|Vault roles]]

  $ vault write ssh-Team/roles/my-role -<<"EOH"
  {
    "allow_user_certificates": true,
    "allowed_users": "*",
    "default_extensions": [
      {
        "permit-pty": ""
      }
    ],
    "key_type": "ca",
    "default_user": "ubuntu",
    "ttl": "30m0s"
  }
  EOH
  Success! Data written to: ssh-Team/roles/my-role

==== Setup SSH server ====

Store (add) public CA key:

  # curl $VAULT_ADDR/v1/ssh-Team/public_key >> /etc/ssh/trusted-user-ca-keys.pem

Configure ''/etc/ssh/sshd_config'' with **TrustedUserCAKeys** directive:

  # grep Trusted /etc/ssh/sshd_config
  TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

Restart service:

  # systemctl restart sshd.service

==== Sign key ====

Sing public SSH against role. ''public-key=@'' is required to process key file.

Information is show just once.

  $ vault write ssh-Team/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub
  
  Key              Value
  ---              -----
  serial_number    9b8ddf19103438f3
  signed_key       ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2Et2VydC12MDFAb3BlbnNzaC5jb20AAAAgeok98JZ/1a/Yyr9RA9KxC5uhtrVzFSeTB1j9z2+yMxEAAAADAQABAAABAQCkowdw4roqsXeTM95YXZGazbjZuO6zy/08VakcggnqDYqW7oXAaYLvtGeobdIw2X72P4pKxatBgQ1ump4kEkPIiS0LOuL4bwApoyWzAztXzQw42N6e4Qw9833f1kZf+tvv/Vg8MuThXrpjqeHKrUwrnTxzaWsENrkR3P75SK0/l6ZQqNpFq79IbWZdUP6mtJWESl/oyF5NBa/X8rs2MsMbi8lEVQ+AknlIGNMrtc5wod+PQdHZnlFw6erjQcHAqTn1AYuv0OCOekAayVmiVWJME1CQx3us8q+5ypj8xHIeO22iOwfdY8WerAhaAog1Cn8PU17UJPSeGuRElTGLZVZm43fKRAPMAAAABAAAAS3ZhdWx0LXJvb3QtZGIwN2YzMmY5MGUwYWJlM2E0NmY2MTU4MWYwOWM1MjNmMzU4MjVhNDVmMDRmNWI5NDJjNjQ4NTI2ZmUzY2YyMAAAAAsAAAAHbW9vdmVpdAAAAABdNg9vAAAAAF02FpUAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/2cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsDKgLevnNAFmaYS+GwAAAg8AAAAHc3NoLXJzYQAAAgAiFBJKD4GjBBcWyHhNzYDzYNy77RC+lT7Be6RYD7gJytskLGo0bzvZ1/jyfYzoekOyfqY2Lc+vmZceD3Re80Otq26U/5zNtV7UsmF0gPKusYjIxoWcndW4+hHzG2xM0sDt9FuT8T6iiAKBeMvWUFyj8LgwMcjbdj2zSiXEJ06z5LZqH9I8dkmo9z1N5flhIrwzAH1A0zlE8N07lPdNCEpzMenfDujGZgNRA9QpcZgCMMrg0E/pcEoL0oMQie8wxA1MIxn40pZcEsKijw378g2v81x5Fj9URjtGqj2TQv/WNK4u7G60O+vbU64RS7YhaSdGYZxQyz5lXX4vhZpCICE6suwZ4nUrPCxD1QmuBB474Nm8QWw1Ui7mQmM/+1XTxHr0EBUv7O4UuofgpOjeiWrNj54q4Jz04u8C3HvO12aVr1eqeLSD6xYgMsiz9FUaD/wjI44aFAAwRc4GyP3Hv0XdkLBa9S0J7lu8yJdOybZWk3VJQTg/MJIehvmf5BBKHeB8IXLG6hWor6aWMIQYE8V8SmbaczC2VOIOUOMyvGprtyKPuydtfvxv8nLhBpiUHv1j1XCULNuC9J6ondgl9PDwAutuN/N5ut0aZrhSLf2a4LniPNxFXhbU53I7qiKYksL2li4AbbnBFEShpuYsEgqXbQhKkLCSEuQFYH/hsg==

Obtain signed certificate for a limited time:

  $ vault write -field=signed_key ssh-Team/sign/my-role \
    public_key=@$HOME/.ssh/id_rsa.pub > .ssh/Team-signed-cert.pub

Check certificate metadata

  $ ssh-keygen -Lf .ssh/Team-signed-cert.pub
  .ssh/Team-signed-cert.pub:
          Type: ssh-rsa-cert-v01@openssh.com user certificate
          Public key: RSA-CERT SHA256:2wfzL5Dgq+Ok2FYHwnFI/NYJaRfBPW5QsZIUm/jzyA
          Signing CA: RSA SHA256:trvVnfmsjRRo7RCVkDIIB6dpKzOAFfS8DtIGl49A8
          Key ID: "vault-root-db07f32f90e0a3a46f61581f09c523f35825a5f04f5b942c648526fe3cf20"  
          Serial: 9590107255027846222
          Valid: from 2019-07-22T16:43:08 to 2019-07-22T17:13:38
          Principals:
                  ubuntu
          Critical Options: (none)
          Extensions:
                  permit-pty

==== Configure SSH client ====

Requited files:

  * $HOME/.ssh/id_rsa.pub
  * $HOME/.ssh/Team-signed-cert.pub

Create ssh template at ''$HOME/.ssh/config''

  Host myserver
     Hostname myserver.example.com
     IdentityFile ~/.ssh/Team-signed-cert.pub
     IdentityFile ~/.ssh/id_rsa
     User ubuntu

Access

  $ ssh myserver