Skip to content

tropicalwave/ssh-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

.github

.github

 
 

ca

ca

 
 

images

images

 
 

server

server

 
 

.editorconfig

.editorconfig

 
 

.env

.env

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

compose.yml

compose.yml

 
 

Repository files navigation

Vault and SSH keys self-service

GitHub Super-Linter

Big picture

This tutorial shows the use of SSH user key certificates with Vault using podman-compose. This setup will then allow users to connect via SSH to hosts based on their defined role in Vault.

The servers furthermore use SSH host key certificates (set up with Vault), ie. there is no need to verify the keys manually at login time.

Overview

Architecture

Four machines will configured:

  1. Vault server
  2. CA server (including SSH client, but this could also be used from any other host)
  3. Web server (accepting logins for all global and web administrators)
  4. Database server (accepting logins for all global and DB administrators)

Furthermore, three Vault users will be created (with the Vault password "pass"):

  1. globaladmin (should be able to login on all hosts)
  2. dbadmin (should only be able to login on host db)
  3. webadmin (should only be able to login on host web)

Initialization

The following commands need to be executed for this tutorial

podman-compose up -d --build
podman-compose logs vault | awk '/Token/ { print $NF }' >.vault-token
cat .vault-token | podman-compose exec -T ca /root/initialize_ca.sh
cat .vault-token | podman-compose exec -T web /root/initialize_sshd.sh
cat .vault-token | podman-compose exec -T db /root/initialize_sshd.sh

User perspective

Creating SSH key and a certificate

The following commands will allow you to log-in on the hosts web and db:

podman-compose exec ca /bin/bash
> vault login -method=userpass username=globaladmin password=pass
> vault write -field=signed_key ssh-client-signer/sign/itservice public_key=@$HOME/.ssh/id_rsa.pub > $HOME/.ssh/id_rsa-cert.pub
> ssh ...

The following commands will allow you to log-in only to the host web:

podman-compose exec ca /bin/bash
> vault login -method=userpass username=webadmin password=pass
> vault write -field=signed_key ssh-client-signer/sign/webteam public_key=@$HOME/.ssh/id_rsa.pub > $HOME/.ssh/id_rsa-cert.pub
> ssh web

The following commands will allow you to log-in only to the host db:

podman-compose exec ca /bin/bash
> vault login -method=userpass username=dbadmin password=pass
> vault write -field=signed_key ssh-client-signer/sign/dbteam public_key=@$HOME/.ssh/id_rsa.pub > $HOME/.ssh/id_rsa-cert.pub
> ssh db

Further reading

About

Example of using SSH certificates in connection with Vault

Topics

vault ssh-certificates

Resources

Readme

License

Apache-2.0 license
Activity

Stars

8 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages