Table of Contents
Commands for Signed SSH Certificates using Hashicorp Vault
List down the commands required.
Client
Generate SSH Admin token (One time)
export VAULT_ADDR='https://vault.bx.net:8200'
export VAULT_TOKEN="<ROOT_TOKEN>"
vault token create -field token -policy=ssh-admin-policyRenew Admin token
export VAULT_TOKEN="<SSH_ADMIN_TOKEN>"
vault token renewGenerate signed certificate
export VAULT_TOKEN="<SSH_ADMIN_TOKEN>"
vault token lookup
vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/signed-cert.pubSSH using signed certificate
ssh -i ~/.ssh/signed-cert.pub -i ~/.ssh/id_rsa <host>Server
Save CA key
export VAULT_ADDR='https://vault.bx.net:8200'
export VAULT_TOKEN="<ROOT_TOKEN>"
vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pemConfigure /etc/ssh/sshd_config
Add following lines in /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
CASignatureAlgorithms ^ssh-rsaNote: Comment out last line if SSH got error
Troubleshooting
Server SSL cert
The SSL cert in vault server needs to be trusted by local client, otherwise, following server occurred.
Error writing data to ssh-client-signer/sign/my-role: Put "<role_name>": x509: certificate signed by unknown authority