Table of Contents
Signed SSH Certificates using Hashicorp Vault
The idear of signed SSH certificates verification is to use valid (signed) SSH certificate to be verified by SSH server or by SSH client, or by both.
Mechanism
Vaildated by SSH server
Client retrieves signed public key which issued by the CA key in Vault. This key has short expiry date.
Server uses the CA public key configured in SSH configuration, validates the client public key issued by Vault.
Validated by SSH client
This is to validate server public whether signed by Vault by place public key in .ssh/known_hosts
file. This key should have long expiry date.
Steps
Vault Server preparation
- Login into Vault
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="<token>"
- Enable SSH secret engine
$ vault secrets enable -path=ssh-client-signer ssh
Successfully mounted 'ssh' at 'ssh-client-signer'!
- Configure CA
$ vault write ssh-client-signer/config/ca generate_signing_key=true
Key Value
--- -----
public_key ssh-rsa AAAAB3NzaC1yc2EA...
- Create Role
Beware of *allowed_users" and "default_user", they must be set correctly.
$ vault write ssh-client-signer/roles/my-role -<<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "ubuntu",
"ttl": "30m0s"
}
EOH
SSH Server Setup
- Login to Vault
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="<token>"
- Save CA key
# vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
- Configure SSHD
Add following lines in /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
- Restart SSHD
# systemctl restart sshd
SSH Client
- Generate SSH key pair if haven't done
$ ssh-keygen -t rsa -C "user@example.com"
This will generate a pair of files, .ssh/id_rsa
and .ssh/id_rsa.pub
.
- Generate and save signed public key using client public key
$ vault write -field=signed_key ssh-client-signer/sign/my-role \
public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
- Verify signed key (optional)
This can verify the valid period and user
$ ssh-keygen -Lf ~/.ssh/signed-cert.pub
...
Valid: from 2021-11-27T17:51:29 to 2021-11-27T18:21:59
Principals:
ubuntu
...
- Login to server using both signed key and private key
$ ssh -i signed-cert.pub -i ~/.ssh/id_rsa username@10.0.23.5
Note: Add following configure in /etc/ssh/sshd_config
if got error __userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]__
CASignatureAlgorithms ^ssh-rsa
References
Signed SSH Certificates
Leveraging Signed SSH for Remote Access with Vault