Vault Signed SSH Certificates to access Linux server

Pre-Requisite

  • Target servers must install/upgrade OpenSSH 6.5 or above. SSH host key generated by algorithm "ed25519" which is introduced to OpenSSH from version 6.5.
  • Please NOTE: since signed SSH certificates will be expired after TTL period, it is critical that the time is synchronized between the Vault server and the target host servers, otherwise it will cause validation errors.

Mount the secrets engine

vault secrets enable -path=ssh-client-signer ssh

Configure Vault with a CA for signing client keys using the /config/ca endpoint.

prepare ssh-keypair with type ed25519 for CA

ssh-keygen -t ed25519 -f ssh_ca/id_ed25519

use ssh-keygen to create a keypair to ssh_ca, then create CA with command

vault write ssh-client-signer/config/ca private_key=@ssh_ca/id_ed25519 public_key=@ssh_ca/id_ed25519.pub

Add the public key to all target hosts' SSH configuration

vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem

Add the path where the public key contents are stored to the SSH configuration file as the TrustedUserCAKeys option to all target hosts

# /etc/ssh/sshd_config
CASignatureAlgorithms ^ssh-rsa
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

Create the ssh login user to all target hosts

useradd -m p4sautomation

Add the user to the sudoers config file

# /etc/sudoers
p4sautomation ALL=(ALL) NOPASSWD: ALL
Defaults:p4sautomation !requiretty

Create a named Vault role for signing client keys

vault write ssh-client-signer/roles/p4s-automation-role - <<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "p4sautomation",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "p4sautomation",
"ttl": "120m0s"
}
EOH

Client SSH Authentication
use ssh-keygen to create a keypair, then create signed-cert with command

ssh-keygen -t rsa -f ssh_cert/id_rsa
vault write -field=signed_key ssh-client-signer/sign/p4s-automation-role public_key=@ssh_cert/id_rsa.pub valid_principals=p4sautomation > signed-cert.pub

use the signed-cert and private key login to the target host
Noted: The server, which generates signed-cert, must synchronize time with target servers, otherwise, it probably can't access target servers due to local time is not in the certificate's time span.

ssh -i signed-cert.pub -i ssh_cert/id_rsa p4sautomation@30.80.133.80
Last login: Tue Jan 25 07:59:35 2022 from 204.104.46.242

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容