Category: ssh

Commands for Signed SSH Certificates using Hashicorp Vault

Posted on by Bian Xi Leave a Comment on Commands for Signed SSH Certificates using Hashicorp Vault

Commands for Signed SSH Certificates using Hashicorp Vault

List down the commands required.

Client

Generate SSH Admin token (One time)

export VAULT_ADDR='https://vault.bx.net:8200'
export VAULT_TOKEN="<ROOT_TOKEN>"

vault token create -field token -policy=ssh-admin-policy

Renew Admin token

export VAULT_TOKEN="<SSH_ADMIN_TOKEN>"
vault token renew

Generate signed certificate

export VAULT_TOKEN="<SSH_ADMIN_TOKEN>"
vault token lookup
vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/signed-cert.pub

SSH using signed certificate

ssh -i ~/.ssh/signed-cert.pub -i ~/.ssh/id_rsa <host>

Server

Save CA key

export VAULT_ADDR='https://vault.bx.net:8200'
export VAULT_TOKEN="<ROOT_TOKEN>"

vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem

Configure /etc/ssh/sshd_config

Add following lines in /etc/ssh/sshd_config

TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
CASignatureAlgorithms ^ssh-rsa

Note: Comment out last line if SSH got error

Troubleshooting

Server SSL cert

The SSL cert in vault server needs to be trusted by local client, otherwise, following server occurred.

Error writing data to ssh-client-signer/sign/my-role: Put "<role_name>": x509: certificate signed by unknown authority

References

More secure but easy ways to access SSH server

Posted on by Bian Xi Leave a Comment on More secure but easy ways to access SSH server

More secure but easy ways to access SSH server

Except User name and Password, which is hard to remember if you don't want others guess it easily, there are other easy ways to protect SSH server.

Public Key

Steps

This is most a simple way, just generate a pair of key,

ssh-keygen

If need more secure, generate 4096 bit RSA key

ssh-keygen  -t rsa -b 4096

Then inject public key in .ssh/id_rsa.pub into remote .ssh/authorized_keys

Cons

  • Needs to perform for every user
  • Needs to inject public keys of clients into all target servers
  • No expiration

Signed Certificate

Steps

Refer to Signed SSH Certificates using Hashicorp Vault in Practice

  • Use free software, hashicorp vault to manage signed certificate.

  • Inject trusted CA key retrieved from vault into target SSH server configure,

  • Use authorized token and client private key to generate short life signed certificate

  • Use signed certificate and client private key login to target server

Note: Only need normal token to generate signed certificate

  • Authorized token can be renewed (replaced) after used

Pros

  • Token never reach Internet, and it can be renewed (replaced) any time
  • Signed certificate has short life

Cons

Need to save a token

2FA

Steps

Refer to Enable 2FA for Ubuntu

Pros

  • Only need a 2FA software, and adding digits after key in password
  • Short life of digits

LDAP or Kerberos

Instead of all servers maintain their own password, passwords are centrally managed by authentication server.

Cons

  • Every server needs connection to authentication server
  • Cannot login if lost connection to authentication server
  • All servers are using same password

One time password

Retrieve password from authentication server, then use it to login to remote server.

Remote server will use it to verify against authentication server.

Cons

  • Every server needs connection to password server
  • Cannot login if lost connection to password server