open-vault/website/pages/docs/commands/ssh.mdx

108 lines
3.8 KiB
Plaintext
Raw Normal View History

2017-09-08 02:14:17 +00:00
---
layout: docs
page_title: ssh - Command
sidebar_title: <code>ssh</code>
2017-09-08 02:14:17 +00:00
description: |-
The "ssh" command establishes an SSH connection with the target machine using
credentials obtained from an SSH secrets engine.
---
# ssh
The `ssh` command establishes an SSH connection with the target machine.
This command uses one of the SSH secrets engines to authenticate and
automatically establish an SSH connection to a host. This operation requires
that the SSH secrets engine is mounted and configured.
The user must have `ssh` installed locally - this command will exec out to it
with the proper commands to provide an "SSH-like" consistent experience.
## Examples
SSH using the OTP mode (requires [sshpass](https://linux.die.net/man/1/sshpass)
for full automation):
```shell-session
2017-09-08 02:14:17 +00:00
$ vault ssh -mode=otp -role=my-role user@1.2.3.4
```
SSH using the CA mode:
```shell-session
2017-09-08 02:14:17 +00:00
$ vault ssh -mode=ca -role=my-role user@1.2.3.4
```
SSH using CA mode with host key verification:
```shell-session
2017-09-08 02:14:17 +00:00
$ vault ssh \
-mode=ca \
-role=my-role \
-host-key-mount-point=host-signer \
-host-key-hostnames=example.com \
user@example.com
```
For step-by-step guides and instructions for each of the available SSH
auth methods, please see the corresponding [SSH secrets
engine](/docs/secrets/ssh).
2017-09-08 02:14:17 +00:00
## Usage
The following flags are available in addition to the [standard set of
flags](/docs/commands) included on all commands.
2017-09-08 02:14:17 +00:00
### Output Options
- `-field` `(string: "")` - Print only the field with the given name. Specifying
this option will take precedence over other formatting directives. The result
CLI Enhancements (#3897) * Use Colored UI if stdout is a tty * Add format options to operator unseal * Add format test on operator unseal * Add -no-color output flag, and use BasicUi if no-color flag is provided * Move seal status formatting logic to OutputSealStatus * Apply no-color to warnings from DeprecatedCommands as well * Add OutputWithFormat to support arbitrary data, add format option to auth list * Add ability to output arbitrary list data on TableFormatter * Clear up switch logic on format * Add format option for list-related commands * Add format option to rest of commands that returns a client API response * Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead * Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead * Remove -no-color flag, use env var exclusively to toggle colored output * Fix compile * Remove -no-color flag in main.go * Add missing FlagSetOutputFormat * Fix generate-root/decode test * Migrate init functions to main.go * Add no-color flag back as hidden * Handle non-supported data types for TableFormatter.OutputList * Pull formatting much further up to remove the need to use c.flagFormat (#3950) * Pull formatting much further up to remove the need to use c.flagFormat Also remove OutputWithFormat as the logic can cause issues. * Use const for env var * Minor updates * Remove unnecessary check * Fix SSH output and some tests * Fix tests * Make race detector not run on generate root since it kills Travis these days * Update docs * Update docs * Address review feedback * Handle --format as well as -format
2018-02-12 23:12:16 +00:00
will not have a trailing newline making it ideal for piping to other processes.
2017-09-08 02:14:17 +00:00
- `-format` `(string: "table")` - Print the output in the given format. Valid
formats are "table", "json", or "yaml". This can also be specified via the
`VAULT_FORMAT` environment variable.
### SSH Options
- `-mode` `(string: "")` - Name of the authentication mode (ca, dynamic, otp)."
2017-09-08 02:14:17 +00:00
- `-mount-point` `(string: "ssh/")` - Mount point to the SSH secrets engine.
- `-no-exec` `(bool: false)` - Print the generated credentials, but do not
establish a connection.
- `-role` `(string: "")` - Name of the role to use to generate the key.
- `-strict-host-key-checking` `(string: "")` - Value to use for the SSH
configuration option "StrictHostKeyChecking". The default is ask. This can
also be specified via the `VAULT_SSH_STRICT_HOST_KEY_CHECKING` environment
variable.
- `-user-known-hosts-file` `(string: "~/.ssh/known_hosts")` - Value to use for
the SSH configuration option "UserKnownHostsFile". This can also be specified
via the `VAULT_SSH_USER_KNOWN_HOSTS_FILE` environment variable.
### CA Mode Options
- `-host-key-hostnames` `(string: "*")` - List of hostnames to delegate for the
CA. The default value allows all domains and IPs. This is specified as a
comma-separated list of values. This can also be specified via the
`VAULT_SSH_HOST_KEY_HOSTNAMES` environment variable.
- `-host-key-mount-point` `(string: "")` - Mount point to the SSH
secrets engine where host keys are signed. When given a value, Vault will
generate a custom "known_hosts" file with delegation to the CA at the provided
mount point to verify the SSH connection's host keys against the provided CA.
By default, host keys are validated against the user's local "known_hosts"
file. This flag forces strict key host checking and ignores a custom user
known hosts file. This can also be specified via the
`VAULT_SSH_HOST_KEY_MOUNT_POINT` environment variable.
- `-private-key-path` `(string: "~/.ssh/id_rsa")` - Path to the SSH private key
to use for authentication. This must be the corresponding private key to
`-public-key-path`.
- `-public-key-path` `(string: "~/.ssh/id_rsa.pub")` - Path to the SSH public
key to send to Vault for signing.