mirror of
https://github.com/hashicorp/vault.git
synced 2026-06-09 08:53:26 -04:00
docs: Elaborate the steps for SSH CA backend with 'sshd_config' changes (#2507)
This commit is contained in:
Vishal Nayak
GitHub
parent
de2e28703a
commit
cf0fb2119f
1 changed files with 126 additions and 78 deletions
|
|
@ -3,41 +3,133 @@ layout: "docs"
|
|||
page_title: "SSH Secret Backend"
|
||||
sidebar_current: "docs-secrets-ssh"
|
||||
description: |-
|
||||
The SSH secret backend for Vault generates dynamic SSH keys or One-Time-Passwords.
|
||||
The SSH secret backend for Vault generates signed SSH certificates, dynamic SSH keys or One-Time-Passwords.
|
||||
---
|
||||
|
||||
# SSH Secret Backend
|
||||
|
||||
Name: `ssh`
|
||||
|
||||
Vault SSH backend dynamically generates SSH credentials for remote hosts. This
|
||||
increases security by removing the need to share private keys with all users
|
||||
needing access to infrastructure. It also solves the problem of management and
|
||||
distribution of keys belonging to remote hosts.
|
||||
Vault SSH backend tries to solve the problem of managing access to machine
|
||||
infrastructure by providing different ways to issue SSH credentials.
|
||||
|
||||
This backend supports two types of credential creation: Dynamic Key and
|
||||
One-Time Password (OTP), which address these problems in different ways.
|
||||
|
||||
Read and carefully understand both of them before choosing the one which best
|
||||
suits your needs. The Vault team strongly recommends the OTP type whenever
|
||||
possible, and the drawbacks to the dynamic key type should be carefully
|
||||
considered before choosing it.
|
||||
The backend issues in 3 types of credentials: CA signed keys, Dynamic keys and
|
||||
OTP keys. Read and carefully understand all the types before choosing the one
|
||||
which best suits your needs. In relation to the dynamic key and OTP key type,
|
||||
the CA key signing is the simplest and most powerful in terms of setup
|
||||
complexity and in terms of being platform agnostic.
|
||||
|
||||
This page will show a quick start for this backend. For detailed documentation
|
||||
on every path, use `vault path-help` after mounting the backend.
|
||||
|
||||
### Mounting SSH
|
||||
----------------------------------------------------
|
||||
## I. CA Key Type
|
||||
|
||||
The `ssh` backend is not mounted by default and needs to be explicitly mounted.
|
||||
This is a common step for both OTP and Dynamic Key types.
|
||||
When using this type, an SSH CA signing key is generated or configured at the
|
||||
backend's mount. This key will be used to sign other SSH keys. The private half
|
||||
of the signing key always stays within Vault and the public half is exposed via
|
||||
the API. Each mount of this backend represents a unique signing key pair. It is
|
||||
recommended that the host keys and client keys are signed using different
|
||||
mounts of this backend.
|
||||
|
||||
### Mount a backend's instance for signing host keys
|
||||
|
||||
```text
|
||||
$ vault mount ssh
|
||||
Successfully mounted 'ssh' at 'ssh'!
|
||||
vault mount -path ssh-host-signer ssh
|
||||
Successfully mounted 'ssh' at 'ssh-host-signer'!
|
||||
```
|
||||
|
||||
### Mount a backend's instance for signing client keys
|
||||
|
||||
```text
|
||||
vault mount -path ssh-client-signer ssh
|
||||
Successfully mounted 'ssh' at 'ssh-client-signer'!
|
||||
```
|
||||
|
||||
### Configure the host CA certificate
|
||||
|
||||
```text
|
||||
vault write -f ssh-host-signer/config/ca
|
||||
Key Value
|
||||
--- -----
|
||||
public_key ssh-rsa
|
||||
AAAAB3NzaC1yc2EAAAADAQABAAACAQDB7lbQ4ub8/7AbfnF4zntCxPGijXzdo50MrUz0I1Vz/n98pBPyrUEcNqFeCr6Qs9kRL8J8Bu48W/DtSxAiScIIlzyezulH+wxdZnCN3sxDUhFbTUosWstSt6P5BZbJsMTpfHfuYbOexewX9ljw636fUrRtU3/0Emq2FkOcKEv9v7z+Qwdaom+8R6CvRA0Kit0yyh6DXD+IjPnOmhYFoNH6ZhPU2xJ+7M16vLpCmH6OO1krHlDK+ZUvVKD2ZjfmbegoYEV/9FETSzVnQ/pOrP0SdwpmGhei7VO7hQwa6zOWIah66TYYdaIopHFha60rZPybliZFAi/CcUO7NYldq7Q2ty68RKp+Im2ROPbXLKYc2N+PThWwbxA1yQ7shvgSy/JEbAcYQuDLGn6tA6n5sXpvFcJe+vlf75w+laXIPUXTVHr2g1O5Irzwunpg03Pa+Kab8Hp8uq61XfTfNtCwHYr/K5YO27rHcpMA/gBKkOFmBbcI3VlUbi266HiyFANz0JMObzXS5hEGm90NevMD2nEFvZHYHx4hXRtoox7Bh4CCj2fUPaThnuTvv1hLBgryWxwDXL7OwHGx6wd/dpXo/1fG1DRUotfVcJP7k7FG9MUAB6tOR2RCuXEaTF6bv3tCpbsdzzzyhs/aIa6IeYRV4HUo3nW5g/IRT+6F/MLd63Cq5w==
|
||||
```
|
||||
|
||||
The returned host CA public key should be added to `known_hosts` file in all
|
||||
the client machines with a `@cert-authority *.domain` prefix. The host CA
|
||||
public key can also be retrieved using `vault read ssh-host-signer/config/ca`.
|
||||
|
||||
### Configure the client CA certificate
|
||||
|
||||
```text
|
||||
vault write -f ssh-client-signer/config/ca
|
||||
Key Value
|
||||
--- -----
|
||||
public_key ssh-rsa
|
||||
AAAAB3NzaC1yc2EAAAADAQABAAACAQDoYiTm0QrK+NGkv8H/Sq1Q9l2PQwxY1ROSPpRqOoFAgCM7vtEZSGchm8j3/Da6Vj84sUg+09N+dwMZ6z3HG57dBWyfHGCbEt+fIJtRcCV7KkQ4xktBdapq5PychBg0bYIP0+JWXe7yOAR6s+DWJgUUHwmYiY0GlrzoztvtYcU/pvj4zWY/EWcCAYRiZThqJOJ9rDzhEzmVHVYelZ8dlehKZsUOQ3dY5fCHgWJ5/IKSfGUI1w1h/3ENAToBKInbW2J/Wy0mbsfUJhha84zgqSeHd4gZ9YqaSpzYffVvDz6Ud+KtPWt4ejJDyvJVFAVnVIvVUCkuXVefBlC10Ww6l52DXex/rdxQW+46ZNV5zlFOUi4VWFPT6bOlIEj1hgHG0cfFKARQXcVlp03xTi5DRJp3jlBf/QLeUy4kZEFUdQl+gkVLwySrOh+1kHwE15JQWpNHxfxWzYnNnjokT2RCW2ANO4Y8vfMPCVM5OKSVNISHm3UurNkJNTAomK/ElnXQgP23UcVgbF3mNRBPx9U3/+9HHkXcqDefSI7XBC7npIBFdetCxFt3nW/cX4l1zfq6ZExCVde+/40V1U+TOoLZVLIZZzEuA40J4H99oK7QN5/MtCGaSr7kgAx+7ymfSY37rXB6wOVi5HTBlhyh+VFGU+Wmy+q5sxfr6+ZLGwoGpvNh0Q==
|
||||
```
|
||||
|
||||
The returned client CA public key should be added to `TrustedUserCAKeys` list
|
||||
in `sshd_config` of the host machine. The client CA public key can also be
|
||||
retrieved using `vault read ssh-client-signer/config/ca`.
|
||||
|
||||
### Allow host certificate to have longer TTLs
|
||||
|
||||
```text
|
||||
vault mount-tune -max-lease-ttl=87600h ssh-host-signer
|
||||
Successfully tuned mount 'ssh-host-signer'!
|
||||
```
|
||||
|
||||
### Create a role to sign host keys
|
||||
|
||||
```text
|
||||
vault write ssh-host-signer/roles/hostrole ttl=87600h allow_host_certificates=true key_type=ca
|
||||
Success! Data written to: ssh-host-signer/roles/hostrole
|
||||
```
|
||||
|
||||
### Create a role to sign client keys
|
||||
|
||||
```text
|
||||
vault write ssh-client-signer/roles/clientrole allow_user_certificates=true ttl=5m key_type=ca
|
||||
Success! Data written to: ssh-client-signer/roles/clientrole
|
||||
```
|
||||
|
||||
### Sign the host key
|
||||
|
||||
```text
|
||||
cat hostkey.pub | vault write -format=json ssh-host-signer/sign/hostrole public_key=- cert_type=host
|
||||
Key Value
|
||||
--- -----
|
||||
serial_number 3746eb17371540d9
|
||||
signed_key ssh-rsa-cert-v01@openssh.com
|
||||
AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg1d4hqGnDjPvBFTGGDksRvaxkIrJ/cc0P4wVyk5A+NtUAAAADAQABAAABAQDKis3fESmPFS9cp7QYJRAsqvrM9w6GwHmrBp2DOUmTJ1szNDm0sbJGkmvMvmC0fbb4DkXbr8YPKk0srX8jRDCXLRtrZJs1jgDN/JVyJGR1pYwOItpeYSkoU42cjgRqEvdms30TvIEzsDhkhyOATTooi95J46GP6tczl5nPp2Zz7zVj8/yXechcM6GCs0x8epcK9UJfhpNvYrC3F7tnxbbLFkdM7AV0bTu1wND2rKTDeACbk3Xi5j9Ti4oQ0ma7aNOFrCO8gfiB4mBbAx4Y+j+FSDNuVWpQqkGBwqRp+E2hgGy4Ao+3zE89SwtnlziIgBwyecT7JTQ+X54Pn7ZBtK+BN0brFzcVQNkAAAACAAAATHZhdWx0LXRva2VuLTA0Mzk0M2MyZjFlYWNmNzBhOWQyNDhiZWE5Yzg0N2UzZDM5Yzc2ZTAyMmY5YzU3MzJkOTAyNDE1NzM2NzU4MWEAAAAAAAAAAFjPB8UAAAAAa5sK4wAAAAAAAAAAAAAAAAAAAhcAAAAHc3NoLXJzYQAAAAMBAAEAAAIBAMHuVtDi5vz/sBt+cXjOe0LE8aKNfN2jnQytTPQjVXP+f3ykE/KtQRw2oV4KvpCz2REvwnwG7jxb8O1LECJJwgiXPJ7O6Uf7DF1mcI3ezENSEVtNSixay1K3o/kFlsmwxOl8d+5hs57F7Bf2WPDrfp9StG1Tf/QSarYWQ5woS/2/vP5DB1qib7xHoK9EDQqK3TLKHoNcP4iM+c6aFgWg0fpmE9TbEn7szXq8ukKYfo47WSseUMr5lS9UoPZmN+Zt6ChgRX/0URNLNWdD+k6s/RJ3CmYaF6LtU7uFDBrrM5YhqHrpNhh1oiikcWFrrStk/JuWJkUCL8JxQ7s1iV2rtDa3LrxEqn4ibZE49tcsphzY349OFbBvEDXJDuyG+BLL8kRsBxhC4Msafq0Dqfmxem8Vwl76+V/vnD6Vpcg9RdNUevaDU7kivPC6emDTc9r4ppvweny6rrVd9N820LAdiv8rlg7busdykwD+AEqQ4WYFtwjdWVRuLbroeLIUA3PQkw5vNdLmEQab3Q168wPacQW9kdgfHiFdG2ijHsGHgIKPZ9Q9pOGe5O+/WEsGCvJbHANcvs7AcbHrB392lej/V8bUNFSi19Vwk/uTsUb0xQAHq05HZEK5cRpMXpu/e0Klux3PPPKGz9ohroh5hFXgdSjedbmD8hFP7oX8wt3rcKrnAAACDwAAAAdzc2gtcnNhAAACAHj5fKMW0KvWiVhZ0LQQUPLpBlgL3qeHic99x61mFGQdkgawhh5UjxsW/r3asPy3XI92QYHu6me8g3iTBqXTmM9u+CwCTnVkZD+pweRLqbC+w5FqfSi8qugOZWzQwa6dNkIMDOIx9CZD6Q1Mve6Bwpt4ziPdQNvZgjpAeYSyMgjpea6JBVP9SmLCv8efPnoTmPvSbMR2DQWXQz0+gi/dBzomc9UPOjSq6az10TIFcIxInNhZBlBo5Smk5403lZjLWxX/KvVVT/T19F/+2z5fPjMubYuZIvB0LbXSQmvcbFIaVX2MdOXkx1d4Iy4whmCqFHr/37WJz2FgaHsbI/R/EcC5maqLeyZzAq925g92QiNQ2bXqY2jeondkqPF3ZOVmKDC1hy1PjaVXuIhp6Wq5GEvXHjBNr8vk/WS0enaZvKRuY3h+cHqukQ3RhVIQ8kRq+wHdqytg4c2ijY7Qn9IAKUQb13cpWpH4VFRTAoVR3O5i4OwQ8BCZSQ3YgW4GK9lN29wKUc1rAb2d8gmIq5/lObs0FKpOXDgkF7jC2ilRodJkbLGRcPi2MEWLsSlXjC5p5iwwf9u02EmXzeTWL/R4HhH8j6Efdc9qobPymhFdbrNDhYnu4/TzqJtyIjuWdsMitfAxnJBYAN3xxPpL8lTvhw8gg7eXtbrmisPy69TdsXBf
|
||||
```
|
||||
|
||||
Set the signed certificate as `HostCertificate` in the `sshd_config` in host
|
||||
machine.
|
||||
|
||||
### Sign the client key
|
||||
|
||||
```text
|
||||
cat clientkey.pub | vault write ssh-client-signer/sign/clientrole public_key=-
|
||||
Key Value
|
||||
--- -----
|
||||
serial_number c73f26d2340276aa
|
||||
signed_key ssh-rsa-cert-v01@openssh.com
|
||||
AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgOe8Iw9mRWhAuDcOFT9hZwMhQK9VduKswcU8XBMA+NgcAAAADAQABAAABAQCyr86Eozv+j8GuBy1fw5NHfak6dvXoQ6/YycbGG/X3o9/d6Xqu2Xd5dVijUvtyym1SgeORwtOXgtwGOFbjWMWBPDupeuRoJx5ww3JRv8jBkaA7JZXhaiSIy3rHwmJNmaLgD/vvqPJEp/E1YnmURbTK2RojnQt9uRI5QMgzg5M/J6ndcv8tbzThSE5NrfIM2AzHt8Ti32I7DhZfuo0goEPbZ7wNUO1u/94itJQ7G/WrUBiTYu5HErMXPrFxhX26IpMTx4d2PkJSzLsImpSGTSuo65tvpSzZgktytCkKi/wRZvNtsABGAm5uKpo+U9t/p0rWDIXyS4RF8knjx6I7QJdhxz8m0jQCdqoAAAABAAAATHZhdWx0LXRva2VuLTE2YmE5ODZkZmM3NTcwZDdhMzA5NDhjMDNiMDA5MTQ2M2JiNmM4OTQ3OTY4ZjcyNzY2MTAzMWJjYzg0ZDhiY2QAAAAAAAAAAFjPB+QAAAAAWM8JLgAAAAAAAAAAAAAAAAAAAhcAAAAHc3NoLXJzYQAAAAMBAAEAAAIBAOhiJObRCsr40aS/wf9KrVD2XY9DDFjVE5I+lGo6gUCAIzu+0RlIZyGbyPf8NrpWPzixSD7T0353AxnrPccbnt0FbJ8cYJsS358gm1FwJXsqRDjGS0F1qmrk/JyEGDRtgg/T4lZd7vI4BHqz4NYmBRQfCZiJjQaWvOjO2+1hxT+m+PjNZj8RZwIBhGJlOGok4n2sPOETOZUdVh6Vnx2V6EpmxQ5Dd1jl8IeBYnn8gpJ8ZQjXDWH/cQ0BOgEoidtbYn9bLSZux9QmGFrzjOCpJ4d3iBn1ippKnNh99W8PPpR34q09a3h6MkPK8lUUBWdUi9VQKS5dV58GULXRbDqXnYNd7H+t3FBb7jpk1XnOUU5SLhVYU9Pps6UgSPWGAcbRx8UoBFBdxWWnTfFOLkNEmneOUF/9At5TLiRkQVR1CX6CRUvDJKs6H7WQfATXklBak0fF/FbNic2eOiRPZEJbYA07hjy98w8JUzk4pJU0hIebdS6s2Qk1MCiYr8SWddCA/bdRxWBsXeY1EE/H1Tf/70ceRdyoN59IjtcELuekgEV160LEW3edb9xfiXXN+rpkTEJV177/jRXVT5M6gtlUshlnMS4DjQngf32grtA3n8y0IZpKvuSADH7vKZ9JjfutcHrA5WLkdMGWHKH5UUZT5abL6rmzF+vr5ksbCgam82HRAAACDwAAAAdzc2gtcnNhAAACACTZP18SBmhBw/FNXgJPZ9heJJbeZHhADfqtVSfIRO5zJHxTQko/uWh1IrpdPu+cRRjHmYJvxvzwvPdTej15gTkbe/2I5lHd7owVxpn98W5dDNGpTNwg+XUMNW19YGno97L4QeacYdI1P4OeklPotGboLEiNzPECZqAjt9g/THEkIR2Xy4knGby/UTXVYboVKwZKdeJhTyG2yhxvMAfFpbLJQW2PLpMHBryCLIiN/CYOZO9t0g2oIGWDoq8oW9rG01G3z2+KjtsJAgPsXRR5e77e/UriZtaSFwJ+LdKlLSi9p2W3gNxC/Vj82LflrdcNDRR9FtRRop7MeTdeWIAy+91GayM/teVNxPuDB0N5Qfuv4IIws3aPlnXcQb17rqg28Nx6v1alzcgiePF8jDlDuVKMraHwKsaG6OT6rXPixbPJiPko4bqPFMBoQ0S2mbZDCNnXZJs1T+IdrV49aAa+WZHzSIgnNRpgooeOfKyEKeZDs4vnrinGhaMGD9Vz8vaut3drEE5BkEaOysNrrPQRWwM1XOeeg13rGHmUc0VAJCH14R16HVZgD12Ef42Bcx7K5Eo7h1uZ8ghf1eOiZHkGFafU96fVF3m4lKotJU3PZrIElOUvMMn0YXtevDDge1ToEammABnn5lFUMsb+3jfyYQypYUkiKN17ANyOLg1fJQMd
|
||||
```
|
||||
|
||||
Save the signed key in a file, say `signed-client-cert.pub`.
|
||||
|
||||
### SSH into the host machine
|
||||
|
||||
```text
|
||||
ssh -i signed-client-cert.pub username@<IP of remote host>
|
||||
username@<IP of remote host>:~$
|
||||
```
|
||||
----------------------------------------------------
|
||||
## I. One-Time-Password (OTP) Type
|
||||
## II. One-Time-Password (OTP) Type
|
||||
|
||||
This backend type allows a Vault server to issue an OTP every time a client
|
||||
wants to SSH into a remote host, using a helper command on the remote host to
|
||||
|
|
@ -64,7 +156,14 @@ successful request. This risk can be mitigated by using TLS for the connection
|
|||
to Vault and checking certificate validity; future enhancements to this backend
|
||||
may allow for extra security on top of what TLS provides.
|
||||
|
||||
### Creating a Role
|
||||
### Mount the backend
|
||||
|
||||
```text
|
||||
$ vault mount ssh
|
||||
Successfully mounted 'ssh' at 'ssh'!
|
||||
```
|
||||
|
||||
### Create a Role
|
||||
|
||||
Create a role with the `key_type` parameter set to `otp`. All of the machines
|
||||
represented by the role's CIDR list should have helper properly installed and
|
||||
|
|
@ -127,7 +226,7 @@ Note: `sshpass` cannot handle host key checking. Host key checking can be
|
|||
disabled by setting `-strict-host-key-checking=no`.
|
||||
|
||||
----------------------------------------------------
|
||||
## II. Dynamic Key Type
|
||||
## III. Dynamic Key Type
|
||||
|
||||
When using this type, the administrator registers a secret key with appropriate
|
||||
`sudo` privileges on the remote machines; for every authorized credential
|
||||
|
|
@ -186,6 +285,13 @@ vaultadmin ALL=(ALL)NOPASSWD: ALL
|
|||
Next, infrastructure configuration must be registered with Vault via roles.
|
||||
First, however, the shared secret key must be specified.
|
||||
|
||||
### Mount the backend
|
||||
|
||||
```text
|
||||
$ vault mount ssh
|
||||
Successfully mounted 'ssh' at 'ssh'!
|
||||
```
|
||||
|
||||
#### Registering the shared secret key
|
||||
|
||||
Register a key with a name; this key must have administrative capabilities on
|
||||
|
|
@ -291,64 +397,6 @@ $ vault ssh -role dynamic_key_role username@<IP of remote host>
|
|||
username@<IP of remote host>:~$
|
||||
```
|
||||
|
||||
----------------------------------------------------
|
||||
## III. CA Key Type
|
||||
|
||||
When using this type, an SSH key is generated and then used to sign other SSH
|
||||
keys. The public half of the key is distributed to remote hosts while the
|
||||
private part stays within Vault. This allows SSH public keys to be signed by
|
||||
Vault and then verified using only the public key.
|
||||
|
||||
### Configure a CA certificate
|
||||
|
||||
The first thing to do is to get Vault to generate the key pair that will be
|
||||
used to sign any SSH keys:
|
||||
|
||||
```text
|
||||
$ vault write -f ssh/config/ca
|
||||
Key Value
|
||||
--- -----
|
||||
public_key ssh-rsa AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgxSlUi1Fd38w93emsotVQBjLYorkQTmCyRo0XPxJw/poAAAADAQABAAABAQCgbXubSftRY1JFEfFpkoHkf/4WkGNQr8g+X1H8kcU/UJUoFZl5IXaZrDzRUTUUQsC3bZA6EPerqSlgpy9gSYn/dtGcCCoPyOUQpaz3vRbF180ddzJnjaJvIAg1PHecFFLC+WjCPFeGkZPc5Yr1NyGhL5GiMUbv5fIYfSM5REkydcEn5+fryfZq8ZCSNBa0KfHflWvy9Nn3i3ns1ZphkMPp+DRkGw0Iy4VetfvUWd3bbVRP8PMZOz0o9Bo/90qzST3qBJ6DZip9LehBXfoNk3dvD/Rkst4IdjBLVv/gHnwX9V0yG8NMUCHh695S0anNtbjCFW1JedYXH7h5ayGOPfivg0P4QLigJ6cAAAABAAAABHJvb3QAAAAAAAAAAFhfuTMAAAAAWF/xkQAAAAAAAAAAAAAAAAAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBALiUMk0TnJh++UOYEU6LcsRAxTcZbR31XbbvtXBGLdK9P92ufZuSxvASVjEoHiJuI+a+rnw7q4GGwoBZQ4wooN/Az5Iy7ez04sz629UINQgUfHbp8RHVk3tCBrJ1F0aQKNEDz3LKNNuAF6kJZrXZ2d0pdCDorm0cNfaYZxOmyKAQtVH454xR2gP0VYUwOWcxTPF8lnoNecL6drEKxg0eyGl2dK+MndsE2TwE9b1S2LDatzfmVzVKQWL5JJWgNwGNiy65E0C858TLzQ7imrVqPomp3SppWLItMUNHZgy9uujyS3BeMqzLT6e1e+ndWMD92Ei2/t95JaSR9IMmClQS0BkAAAEPAAAAB3NzaC1yc2EAAAEAM4vtt9WhBtB98XfJsVo5TXI+XU6aAXm/yZH8wRpCl3ghhBDk5ZFdZredLna2v8jYELTNJGt8LuFZVy7XoXgsPC58kwhWcYx2BbtN3GpBDijlG7Odozwf03RrJ48LgheI9UfF+8mituwrerQDYppPgW5tws+THllhcWD099LU+iDvuC69aVEDy+CZJZKBvaYVDQYtu5bVlqdlGo5KE1ASro2h/jLQG2atl4iwpQ7NKi5VF5YuNFNX9NsWFIqnm5ErwXLdroBJb/XOSSWNE8Vlsi+UhNRJ33o3/QwQ3nMAjyxh1btnv2HW0r4Z3D4a63r+HizFP+RrGdRzNf7xj9UiRw==
|
||||
```
|
||||
|
||||
### Creating a Role
|
||||
|
||||
The next step is to configure a role. A role is a logical name that maps to a
|
||||
policy used to generate those credentials. For example, let's create an
|
||||
"example" role:
|
||||
|
||||
```text
|
||||
$ vault write ssh/roles/example ttl=4h allow_user_certificates=true key_type=ca
|
||||
Success! Data written to: ssh/roles/example
|
||||
```
|
||||
|
||||
### Create a Credential
|
||||
|
||||
By writing to the `roles/example` path we are defining the `example` role. To
|
||||
sign an SSH public key, we simply write to the `sign` end point with that role
|
||||
name: Vault is now configured to create and manage SSH certificates!
|
||||
|
||||
```text
|
||||
$ cat dummy.pub | vault write ssh/sign/example public_key=-
|
||||
Key Value
|
||||
--- -----
|
||||
lease_id ssh/sign/example/3c3740ee-6066-55c0-4a5d-82a544a474a3
|
||||
lease_duration 768h0m0s
|
||||
lease_renewable false
|
||||
serial_number 8343f840b8a027a7
|
||||
signed_key ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgxSlUi1Fd38w93emsotVQBjLYorkQTmCyRo0XPxJw/poAAAADAQABAAABAQCgbXubSftRY1JFEfFpkoHkf/4WkGNQr8g+X1H8kcU/UJUoFZl5IXaZrDzRUTUUQsC3bZA6EPerqSlgpy9gSYn/dtGcCCoPyOUQpaz3vRbF180ddzJnjaJvIAg1PHecFFLC+WjCPFeGkZPc5Yr1NyGhL5GiMUbv5fIYfSM5REkydcEn5+fryfZq8ZCSNBa0KfHflWvy9Nn3i3ns1ZphkMPp+DRkGw0Iy4VetfvUWd3bbVRP8PMZOz0o9Bo/90qzST3qBJ6DZip9LehBXfoNk3dvD/Rkst4IdjBLVv/gHnwX9V0yG8NMUCHh695S0anNtbjCFW1JedYXH7h5ayGOPfivg0P4QLigJ6cAAAABAAAABHJvb3QAAAAAAAAAAFhfuTMAAAAAWF/xkQAAAAAAAAAAAAAAAAAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBALiUMk0TnJh++UOYEU6LcsRAxTcZbR31XbbvtXBGLdK9P92ufZuSxvASVjEoHiJuI+a+rnw7q4GGwoBZQ4wooN/Az5Iy7ez04sz629UINQgUfHbp8RHVk3tCBrJ1F0aQKNEDz3LKNNuAF6kJZrXZ2d0pdCDorm0cNfaYZxOmyKAQtVH454xR2gP0VYUwOWcxTPF8lnoNecL6drEKxg0eyGl2dK+MndsE2TwE9b1S2LDatzfmVzVKQWL5JJWgNwGNiy65E0C858TLzQ7imrVqPomp3SppWLItMUNHZgy9uujyS3BeMqzLT6e1e+ndWMD92Ei2/t95JaSR9IMmClQS0BkAAAEPAAAAB3NzaC1yc2EAAAEAM4vtt9WhBtB98XfJsVo5TXI+XU6aAXm/yZH8wRpCl3ghhBDk5ZFdZredLna2v8jYELTNJGt8LuFZVy7XoXgsPC58kwhWcYx2BbtN3GpBDijlG7Odozwf03RrJ48LgheI9UfF+8mituwrerQDYppPgW5tws+THllhcWD099LU+iDvuC69aVEDy+CZJZKBvaYVDQYtu5bVlqdlGo5KE1ASro2h/jLQG2atl4iwpQ7NKi5VF5YuNFNX9NsWFIqnm5ErwXLdroBJb/XOSSWNE8Vlsi+UhNRJ33o3/QwQ3nMAjyxh1btnv2HW0r4Z3D4a63r+HizFP+RrGdRzNf7xj9UiRw==
|
||||
```
|
||||
|
||||
### Establish an SSH session
|
||||
|
||||
Save the key to a file (e.g. `dummy-cert.pem`) and then use it to establish an
|
||||
SSH session.
|
||||
|
||||
```text
|
||||
$ ssh -i dummy.pem username@<IP of remote host>
|
||||
username@<IP of remote host>:~$
|
||||
```
|
||||
|
||||
----------------------------------------------------
|
||||
## API
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue