Vault

Configure access:

$ export VAULT_TOKEN="s.nJdQXIaf61qygUCcpa84b1f"
$ export VAULT_ADDR='http://18.234.17.11:8200'

Check:

$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.1.3
Cluster Name    vault-cluster-1096f75c
Cluster ID      fa1e727e-0f0a-d3bc-3f6d-ac824d4d629a
HA Enabled      true
HA Cluster      https://172.31.32.23:444
HA Mode         active

Login:

$ vault login $VAULT_TOKEN

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.nJdQXIaf61qygUCcpa84b1f
token_accessor       lI5QsvD6w6AoHiSt0InO8FwD
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Interfaz local

docker run -d --rm \
-p 8000:8000 \
-e VAULT_URL_DEFAULT=http://18.234.17.11:8200 \
-e VAULT_AUTH_DEFAULT=TOKEN \
--name vault-ui \
djenriquez/vault-ui

https://github.com/djenriquez/vault-ui

Setup from vault client

Enable:

$ vault secrets enable -path=ssh-Team ssh
Success! Enabled the ssh secrets engine at: ssh-Team/

Generate CA key

$ vault write ssh-Team/config/ca generate_signing_key=true
Key           Value
---           -----
public_key    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw==

Get/check public CA key

$ curl $VAULT_ADDR/v1/ssh-Team/public_key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/F52cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsxDKgLevnNAFmaYS+Gw==

Create a role to sign keys. Ref: Vault roles

$ vault write ssh-Team/roles/my-role -<<"EOH"
{
  "allow_user_certificates": true,
  "allowed_users": "*",
  "default_extensions": [
    {
      "permit-pty": ""
    }
  ],
  "key_type": "ca",
  "default_user": "ubuntu",
  "ttl": "30m0s"
}
EOH
Success! Data written to: ssh-Team/roles/my-role

Setup SSH server

Store (add) public CA key:

# curl $VAULT_ADDR/v1/ssh-Team/public_key >> /etc/ssh/trusted-user-ca-keys.pem

Configure /etc/ssh/sshd_config with TrustedUserCAKeys directive:

# grep Trusted /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

Restart service:

# systemctl restart sshd.service

Sign key

Sing public SSH against role. public-key=@ is required to process key file.

Information is show just once.

$ vault write ssh-Team/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub

Key              Value
---              -----
serial_number    9b8ddf19103438f3
signed_key       ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2Et2VydC12MDFAb3BlbnNzaC5jb20AAAAgeok98JZ/1a/Yyr9RA9KxC5uhtrVzFSeTB1j9z2+yMxEAAAADAQABAAABAQCkowdw4roqsXeTM95YXZGazbjZuO6zy/08VakcggnqDYqW7oXAaYLvtGeobdIw2X72P4pKxatBgQ1ump4kEkPIiS0LOuL4bwApoyWzAztXzQw42N6e4Qw9833f1kZf+tvv/Vg8MuThXrpjqeHKrUwrnTxzaWsENrkR3P75SK0/l6ZQqNpFq79IbWZdUP6mtJWESl/oyF5NBa/X8rs2MsMbi8lEVQ+AknlIGNMrtc5wod+PQdHZnlFw6erjQcHAqTn1AYuv0OCOekAayVmiVWJME1CQx3us8q+5ypj8xHIeO22iOwfdY8WerAhaAog1Cn8PU17UJPSeGuRElTGLZVZm43fKRAPMAAAABAAAAS3ZhdWx0LXJvb3QtZGIwN2YzMmY5MGUwYWJlM2E0NmY2MTU4MWYwOWM1MjNmMzU4MjVhNDVmMDRmNWI5NDJjNjQ4NTI2ZmUzY2YyMAAAAAsAAAAHbW9vdmVpdAAAAABdNg9vAAAAAF02FpUAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCpf6I8qnyBi9LyXkAw/pHMUdX8Yoa3wi9QzKtw8Wvcddvd9nN01H18yaRjmZcMiuDvEgF+2jZUS6TAoAWHYH5EAJRMPIwxIZho35fEr6vxNerLoyfVujIMLDitzqG1r6cBAZgmGGPdmrEW82zXfXUUXGXEjTpMN8p/2cr6mSeYyXDExUbi1Vg8SqeP9lVnixZHHdlKEnTFAA8GSZPth1IvHUFr1icCmJBMIcfUpiSZbVM/R5TsqDtQnh44N3kz/j14b9NiEtOsd3Jims3Up8Vqcd348QoVBe+d3RGVfobLgHC6O7peZs6J1Elcx0kRMIkvu4Dd4Y7qjCPVDcY3k07GbOiBhOPVDcJhiThabIocuxOF2V/yh2ZLENRudDTeD2fiHp5K7v52JH+VW7WgfQ4r3b0GswqHO84FCX9EH9xHo29yFPRnIATQ0BAsvfVkwcjxDExecOOfFmY4mpZofr1I1sVuhlsoKwG+JQL9Pb3Tz+XQKQCyNW675Xld2z4lmvZkSNCTCr/2qvkgZD9bdg9y2d5479EH2WRODPpmxony0vcDj+isfQyIg4w07auPDvr0edzs9iugZsRGrWmyjHZl2anh09q4kpcrJp96+fUuNhztXmLNlyr4kxioeT2rjM2DGRvG7Qfi95+iLzp41ONAAsDKgLevnNAFmaYS+GwAAAg8AAAAHc3NoLXJzYQAAAgAiFBJKD4GjBBcWyHhNzYDzYNy77RC+lT7Be6RYD7gJytskLGo0bzvZ1/jyfYzoekOyfqY2Lc+vmZceD3Re80Otq26U/5zNtV7UsmF0gPKusYjIxoWcndW4+hHzG2xM0sDt9FuT8T6iiAKBeMvWUFyj8LgwMcjbdj2zSiXEJ06z5LZqH9I8dkmo9z1N5flhIrwzAH1A0zlE8N07lPdNCEpzMenfDujGZgNRA9QpcZgCMMrg0E/pcEoL0oMQie8wxA1MIxn40pZcEsKijw378g2v81x5Fj9URjtGqj2TQv/WNK4u7G60O+vbU64RS7YhaSdGYZxQyz5lXX4vhZpCICE6suwZ4nUrPCxD1QmuBB474Nm8QWw1Ui7mQmM/+1XTxHr0EBUv7O4UuofgpOjeiWrNj54q4Jz04u8C3HvO12aVr1eqeLSD6xYgMsiz9FUaD/wjI44aFAAwRc4GyP3Hv0XdkLBa9S0J7lu8yJdOybZWk3VJQTg/MJIehvmf5BBKHeB8IXLG6hWor6aWMIQYE8V8SmbaczC2VOIOUOMyvGprtyKPuydtfvxv8nLhBpiUHv1j1XCULNuC9J6ondgl9PDwAutuN/N5ut0aZrhSLf2a4LniPNxFXhbU53I7qiKYksL2li4AbbnBFEShpuYsEgqXbQhKkLCSEuQFYH/hsg==

Obtain signed certificate for a limited time:

$ vault write -field=signed_key ssh-Team/sign/my-role \
  public_key=@$HOME/.ssh/id_rsa.pub > .ssh/Team-signed-cert.pub

Check certificate metadata

$ ssh-keygen -Lf .ssh/Team-signed-cert.pub
.ssh/Team-signed-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:2wfzL5Dgq+Ok2FYHwnFI/NYJaRfBPW5QsZIUm/jzyA
        Signing CA: RSA SHA256:trvVnfmsjRRo7RCVkDIIB6dpKzOAFfS8DtIGl49A8
        Key ID: "vault-root-db07f32f90e0a3a46f61581f09c523f35825a5f04f5b942c648526fe3cf20"  
        Serial: 9590107255027846222
        Valid: from 2019-07-22T16:43:08 to 2019-07-22T17:13:38
        Principals:
                ubuntu
        Critical Options: (none)
        Extensions:
                permit-pty

Configure SSH client

Requited files:

  • $HOME/.ssh/id_rsa.pub
  • $HOME/.ssh/Team-signed-cert.pub

Create ssh template at $HOME/.ssh/config

Host myserver
   Hostname myserver.example.com
   IdentityFile ~/.ssh/Team-signed-cert.pub
   IdentityFile ~/.ssh/id_rsa
   User ubuntu

Access

$ ssh myserver