Vault Signed SSH Certificates to access Linux server

Pre-Requisite

  • Target servers must install/upgrade OpenSSH 6.5 or above. SSH host key generated by algorithm "ed25519" which is introduced to OpenSSH from version 6.5.
  • Please NOTE: since signed SSH certificates will be expired after TTL period, it is critical that the time is synchronized between the Vault server and the target host servers, otherwise it will cause validation errors.

Mount the secrets engine

vault secrets enable -path=ssh-client-signer ssh

Configure Vault with a CA for signing client keys using the /config/ca endpoint.

prepare ssh-keypair with type ed25519 for CA

ssh-keygen -t ed25519 -f ssh_ca/id_ed25519

use ssh-keygen to create a keypair to ssh_ca, then create CA with command

vault write ssh-client-signer/config/ca private_key=@ssh_ca/id_ed25519 public_key=@ssh_ca/id_ed25519.pub

Add the public key to all target hosts' SSH configuration

vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem

Add the path where the public key contents are stored to the SSH configuration file as the TrustedUserCAKeys option to all target hosts

# /etc/ssh/sshd_config
CASignatureAlgorithms ^ssh-rsa
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

Create the ssh login user to all target hosts

useradd -m p4sautomation

Add the user to the sudoers config file

# /etc/sudoers
p4sautomation ALL=(ALL) NOPASSWD: ALL
Defaults:p4sautomation !requiretty

Create a named Vault role for signing client keys

vault write ssh-client-signer/roles/p4s-automation-role - <<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "p4sautomation",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "p4sautomation",
"ttl": "120m0s"
}
EOH

Client SSH Authentication
use ssh-keygen to create a keypair, then create signed-cert with command

ssh-keygen -t rsa -f ssh_cert/id_rsa
vault write -field=signed_key ssh-client-signer/sign/p4s-automation-role public_key=@ssh_cert/id_rsa.pub valid_principals=p4sautomation > signed-cert.pub

use the signed-cert and private key login to the target host
Noted: The server, which generates signed-cert, must synchronize time with target servers, otherwise, it probably can't access target servers due to local time is not in the certificate's time span.

ssh -i signed-cert.pub -i ssh_cert/id_rsa p4sautomation@30.80.133.80
Last login: Tue Jan 25 07:59:35 2022 from 204.104.46.242

©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成,浏览时请结合常识与多方信息审慎甄别。
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容

友情链接更多精彩内容