Configure access:
$ export VAULT_TOKEN="s.nJdQXIaf61qygUCcpa84b1f" $ export VAULT_ADDR='http://18.234.17.11:8200'
Check:
$ vault status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.3 Cluster Name vault-cluster-1096f75c Cluster ID fa1e727e-0f0a-d3bc-3f6d-ac824d4d629a HA Enabled true HA Cluster https://172.31.32.23:444 HA Mode active
Login:
$ vault login $VAULT_TOKEN Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.nJdQXIaf61qygUCcpa84b1f token_accessor lI5QsvD6w6AoHiSt0InO8FwD token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
docker run -d --rm \ -p 8000:8000 \ -e VAULT_URL_DEFAULT=http://18.234.17.11:8200 \ -e VAULT_AUTH_DEFAULT=TOKEN \ --name vault-ui \ djenriquez/vault-ui
Enable:
$ vault secrets enable -path=ssh-Team ssh Success! Enabled the ssh secrets engine at: ssh-Team/
Generate CA key
$ vault write ssh-Team/config/ca generate_signing_key=true Key Value --- ----- public_key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw==
Get/check public CA key
$ curl $VAULT_ADDR/v1/ssh-Team/public_key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw==
Create a role to sign keys. Ref: Vault roles
$ vault write ssh-Team/roles/my-role -<<"EOH" { "allow_user_certificates": true, "allowed_users": "*", "default_extensions": [ { "permit-pty": "" } ], "key_type": "ca", "default_user": "ubuntu", "ttl": "30m0s" } EOH Success! Data written to: ssh-Team/roles/my-role
Store (add) public CA key:
# curl $VAULT_ADDR/v1/ssh-Team/public_key >> /etc/ssh/trusted-user-ca-keys.pem
Configure /etc/ssh/sshd_config
with TrustedUserCAKeys directive:
# grep Trusted /etc/ssh/sshd_config TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
Restart service:
# systemctl restart sshd.service
Sing public SSH against role. public-key=@
is required to process key file.
Information is show just once.
$ vault write ssh-Team/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub Key Value --- ----- serial_number 9b8ddf19103438f3 signed_key ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2Et2VydC12MDFAb3BlbnNzaC5jb20AAAAgeok98JZ/1a/Yyr9RA9KxC5uhtrVzFSeTB1j9z2+yMxEAAAADAQABAAABAQCkowdw4roqsXeTM95YXZGazbjZuO6zy/08VakcggnqDYqW7oXAaYLvtGeobdIw2X72P4pKxatBgQ1ump4kEkPIiS0LOuL4bwApoyWzAztXzQw42N6e4Qw9833f1kZf+tvv/Vg8MuThXrpjqeHKrUwrnTxzaWsENrkR3P75SK0/l6ZQqNpFq79IbWZdUP6mtJWESl/oyF5NBa/X8rs2MsMbi8lEVQ+AknlIGNMrtc5wod+PQdHZnlFw6erjQcHAqTn1AYuv0OCOekAayVmiVWJME1CQx3us8q+5ypj8xHIeO22iOwfdY8WerAhaAog1Cn8PU17UJPSeGuRElTGLZVZm43fKRAPMAAAABAAAAS3ZhdWx0LXJvb3QtZGIwN2YzMmY5MGUwYWJlM2E0NmY2MTU4MWYwOWM1MjNmMzU4MjVhNDVmMDRmNWI5NDJjNjQ4NTI2ZmUzY2YyMAAAAAsAAAAHbW9vdmVpdAAAAABdNg9vAAAAAF02FpUAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/2cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsDKgLevnNAFmaYS+GwAAAg8AAAAHc3NoLXJzYQAAAgAiFBJKD4GjBBcWyHhNzYDzYNy77RC+lT7Be6RYD7gJytskLGo0bzvZ1/jyfYzoekOyfqY2Lc+vmZceD3Re80Otq26U/5zNtV7UsmF0gPKusYjIxoWcndW4+hHzG2xM0sDt9FuT8T6iiAKBeMvWUFyj8LgwMcjbdj2zSiXEJ06z5LZqH9I8dkmo9z1N5flhIrwzAH1A0zlE8N07lPdNCEpzMenfDujGZgNRA9QpcZgCMMrg0E/pcEoL0oMQie8wxA1MIxn40pZcEsKijw378g2v81x5Fj9URjtGqj2TQv/WNK4u7G60O+vbU64RS7YhaSdGYZxQyz5lXX4vhZpCICE6suwZ4nUrPCxD1QmuBB474Nm8QWw1Ui7mQmM/+1XTxHr0EBUv7O4UuofgpOjeiWrNj54q4Jz04u8C3HvO12aVr1eqeLSD6xYgMsiz9FUaD/wjI44aFAAwRc4GyP3Hv0XdkLBa9S0J7lu8yJdOybZWk3VJQTg/MJIehvmf5BBKHeB8IXLG6hWor6aWMIQYE8V8SmbaczC2VOIOUOMyvGprtyKPuydtfvxv8nLhBpiUHv1j1XCULNuC9J6ondgl9PDwAutuN/N5ut0aZrhSLf2a4LniPNxFXhbU53I7qiKYksL2li4AbbnBFEShpuYsEgqXbQhKkLCSEuQFYH/hsg==
Obtain signed certificate for a limited time:
$ vault write -field=signed_key ssh-Team/sign/my-role \ public_key=@$HOME/.ssh/id_rsa.pub > .ssh/Team-signed-cert.pub
Check certificate metadata
$ ssh-keygen -Lf .ssh/Team-signed-cert.pub .ssh/Team-signed-cert.pub: Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:2wfzL5Dgq+Ok2FYHwnFI/NYJaRfBPW5QsZIUm/jzyA Signing CA: RSA SHA256:trvVnfmsjRRo7RCVkDIIB6dpKzOAFfS8DtIGl49A8 Key ID: "vault-root-db07f32f90e0a3a46f61581f09c523f35825a5f04f5b942c648526fe3cf20" Serial: 9590107255027846222 Valid: from 2019-07-22T16:43:08 to 2019-07-22T17:13:38 Principals: ubuntu Critical Options: (none) Extensions: permit-pty
Requited files:
Create ssh template at $HOME/.ssh/config
Host myserver Hostname myserver.example.com IdentityFile ~/.ssh/Team-signed-cert.pub IdentityFile ~/.ssh/id_rsa User ubuntu
Access
$ ssh myserver