Change default SSH settings for remote host
List down the commands required.
vault token create -field token -policy=ssh-admin-policy
vault token renew
vault token lookup
vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/signed-cert.pub
ssh -i ~/.ssh/signed-cert.pub -i ~/.ssh/id_rsa <host>
vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
Add following lines in
Note: Comment out last line if SSH got error
The SSL cert in vault server needs to be trusted by local client, otherwise, following server occurred.
Error writing data to ssh-client-signer/sign/my-role: Put "<role_name>": x509: certificate signed by unknown authority
This is required if host key replaced in target server.
ssh-keygen -R HOSTNAME
ssh-keygen -R IP_ADDRESS
Except User name and Password, which is hard to remember if you don't want others guess it easily, there are other easy ways to protect SSH server.
This is most a simple way, just generate a pair of key,
If need more secure, generate 4096 bit RSA key
ssh-keygen -t rsa -b 4096
Then inject public key in
.ssh/id_rsa.pub into remote
Use free software, hashicorp vault to manage signed certificate.
Inject trusted CA key retrieved from vault into target SSH server configure,
Use authorized token and client private key to generate short life signed certificate
Use signed certificate and client private key login to target server
Note: Only need normal token to generate signed certificate
Need to save a token
Refer to Enable 2FA for Ubuntu
Instead of all servers maintain their own password, passwords are centrally managed by authentication server.
Retrieve password from authentication server, then use it to login to remote server.
Remote server will use it to verify against authentication server.