Pre-Requisite

• Target servers must install/upgrade OpenSSH 6.5 or above. SSH host key generated by algorithm "ed25519" which is introduced to OpenSSH from version 6.5.
• Please NOTE: since signed SSH certificates will be expired after TTL period, it is critical that the time is synchronized between the Vault server and the target host servers, otherwise it will cause validation errors.

Mount the secrets engine

vault secrets enable -path=ssh-client-signer ssh

Configure Vault with a CA for signing client keys using the /config/ca endpoint.

prepare ssh-keypair with type ed25519 for CA

ssh-keygen -t ed25519 -f ssh_ca/id_ed25519

use ssh-keygen to create a keypair to ssh_ca, then create CA with command

vault write ssh-client-signer/config/ca private_key=@ssh_ca/id_ed25519 public_key=@ssh_ca/id_ed25519.pub

Add the public key to all target hosts' SSH configuration

vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem

Add the path where the public key contents are stored to the SSH configuration file as the TrustedUserCAKeys option to all target hosts

# /etc/ssh/sshd_config
CASignatureAlgorithms ^ssh-rsa
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

Create the ssh login user to all target hosts

useradd -m p4sautomation

Add the user to the sudoers config file

# /etc/sudoers
p4sautomation ALL=(ALL) NOPASSWD: ALL
Defaults:p4sautomation !requiretty

Create a named Vault role for signing client keys

vault write ssh-client-signer/roles/p4s-automation-role - <<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "p4sautomation",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "p4sautomation",
"ttl": "120m0s"
}
EOH

Client SSH Authentication
use ssh-keygen to create a keypair, then create signed-cert with command

ssh-keygen -t rsa -f ssh_cert/id_rsa
vault write -field=signed_key ssh-client-signer/sign/p4s-automation-role public_key=@ssh_cert/id_rsa.pub valid_principals=p4sautomation > signed-cert.pub

use the signed-cert and private key login to the target host
Noted: The server, which generates signed-cert, must synchronize time with target servers, otherwise, it probably can't access target servers due to local time is not in the certificate's time span.

ssh -i signed-cert.pub -i ssh_cert/id_rsa p4sautomation@30.80.133.80
Last login: Tue Jan 25 07:59:35 2022 from 204.104.46.242