2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
|
|
|
|
layout: "http"
|
|
|
|
|
page_title: "SSH Secret Backend - HTTP API"
|
|
|
|
|
sidebar_current: "docs-http-secret-ssh"
|
|
|
|
|
description: |-
|
2017-03-16 07:21:49 +00:00
|
|
|
|
This is the API documentation for the Vault SSH secret backend.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# SSH Secret Backend HTTP API
|
|
|
|
|
|
|
|
|
|
This is the API documentation for the Vault SSH secret backend. For general
|
|
|
|
|
information about the usage and operation of the SSH backend, please see the
|
|
|
|
|
[Vault SSH backend documentation](/docs/secrets/ssh/index.html).
|
|
|
|
|
|
|
|
|
|
This documentation assumes the SSH backend is mounted at the `/ssh` path in
|
|
|
|
|
Vault. Since it is possible to mount secret backends at any location, please
|
|
|
|
|
update your API calls accordingly.
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## Create/Update Key
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates a named key.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/keys/:name` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the key to create. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `key` `(string: <required>)` – Specifies an SSH private key with appropriate
|
|
|
|
|
privileges on remote hosts.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"key": "..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/keys/my-key
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Key
|
|
|
|
|
|
|
|
|
|
This endpoint deletes a named key.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `DELETE` | `/ssh/keys/:name` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the key to delete. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
https://vault.rocks/v1/ssh/keys/my-key
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create Role
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates a named role.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/roles/:name` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to create. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `key` `(string: "")` – Specifies the name of the registered key in Vault.
|
|
|
|
|
Before creating the role, use the `keys/` endpoint to create a named key. This
|
|
|
|
|
is required for "Dynamic Key" type.
|
|
|
|
|
|
|
|
|
|
- `admin_user` `(string: "")` – Specifies the admin user at remote host. The
|
|
|
|
|
shared key being registered should be for this user and should have root or
|
|
|
|
|
sudo privileges. Every time a dynamic credential is generated for a client,
|
|
|
|
|
Vault uses this admin username to login to remote host and install the
|
|
|
|
|
generated credential. This is required for Dynamic Key type.
|
|
|
|
|
|
|
|
|
|
- `default_user` `(string: "")` – Specifies the default username for which a
|
|
|
|
|
credential will be generated. When the endpoint `creds/` is used without a
|
|
|
|
|
username, this value will be used as default username. Its recommended to
|
|
|
|
|
create individual roles for each username to ensure absolute isolation between
|
|
|
|
|
usernames. This is required for Dynamic Key type and OTP type.
|
|
|
|
|
|
|
|
|
|
For the CA type, if you wish this to be a valid principal, it must also be
|
|
|
|
|
in `allowed_users`.
|
|
|
|
|
|
|
|
|
|
- `cidr_list` `(string: "")` – Specifies a comma separated list of CIDR blocks
|
|
|
|
|
for which the role is applicable for.CIDR blocks can belong to more than one
|
|
|
|
|
role.
|
|
|
|
|
|
|
|
|
|
- `exclude_cidr_list` `(string: "")` – Specifies a comma-separated list of CIDR
|
|
|
|
|
blocks. IP addresses belonging to these blocks are not accepted by the role.
|
|
|
|
|
This is particularly useful when big CIDR blocks are being used by the role
|
|
|
|
|
and certain parts need to be kept out.
|
|
|
|
|
|
|
|
|
|
- `port` `(int: 22)` – Specifies the port number for SSH connection. Port number
|
|
|
|
|
does not play any role in OTP generation. For the `otp` backend type, this is
|
|
|
|
|
just a way to inform the client about the port number to use. The port number
|
|
|
|
|
will be returned to the client by Vault along with the OTP.
|
|
|
|
|
|
|
|
|
|
- `key_type` `(string: <required>)` – Specifies the type of credentials
|
|
|
|
|
generated by this role. This can be either `otp`, `dynamic` or `ca`.
|
|
|
|
|
|
|
|
|
|
- `key_bits` `(int: 1024)` – Specifies the length of the RSA dynamic key in
|
|
|
|
|
bits. This can be either 1024 or 2048.
|
|
|
|
|
|
|
|
|
|
- `install_script`
|
|
|
|
|
<span class="param-flags">optional for Dynamic Key type, N/A for OTP type,
|
|
|
|
|
N/A for CA type</span>
|
|
|
|
|
(String)
|
|
|
|
|
Script used to install and uninstall public keys in the target
|
|
|
|
|
machine. Defaults to the built-in script.
|
|
|
|
|
|
|
|
|
|
- `allowed_users` `(string: "")` – If this option is not specified, client can
|
|
|
|
|
request for a credential for any valid user at the remote host, including the
|
|
|
|
|
admin user. If only certain usernames are to be allowed, then this list
|
|
|
|
|
enforces it. If this field is set, then credentials can only be created for
|
|
|
|
|
`default_user` and usernames present in this list. Setting this option will
|
|
|
|
|
enable all the users with access this role to fetch credentials for all other
|
|
|
|
|
usernames in this list. Use with caution.
|
|
|
|
|
|
|
|
|
|
- `allowed_domains` `(string: "")` – If this option is not specified, client can
|
|
|
|
|
request for a signed certificate for any valid host. If only certain domains
|
|
|
|
|
are allowed, then this list enforces it. If this option is explicitly set to
|
|
|
|
|
`"*"`, then credentials can be created for any domain.
|
|
|
|
|
|
|
|
|
|
- `key_option_specs` `(string: "")` – Specifies a aomma separated option
|
|
|
|
|
specification which will be prefixed to RSA keys in the remote host's
|
|
|
|
|
authorized_keys file. N.B.: Vault does not check this string for validity.
|
|
|
|
|
|
|
|
|
|
- `ttl` `(string: "")` – Specifies the Time To Live value provided as a string
|
|
|
|
|
duration with time suffix. Hour is the largest suffix. If not set, uses the
|
|
|
|
|
system default value or the value of `max_ttl`, whichever is shorter.
|
|
|
|
|
|
|
|
|
|
- `max_ttl` `(string: "")` – Specifies the maximum Time To Live provided as a
|
|
|
|
|
string duration with time suffix. Hour is the largest suffix. If not set,
|
|
|
|
|
defaults to the system maximum lease TTL.
|
|
|
|
|
|
|
|
|
|
- `allowed_critical_options` `(string: "")` – Specifies a comma-separated list
|
|
|
|
|
of critical options that certificates can have when signed. To allow any
|
|
|
|
|
critical options, set this to an empty string. Will default to allowing any
|
|
|
|
|
critical options.
|
|
|
|
|
|
|
|
|
|
- `allowed_extensions` `(string: "")` – Specifies a comma-separated list of
|
|
|
|
|
extensions that certificates can have when signed. To allow any critical
|
|
|
|
|
options, set this to an empty string. Will default to allowing any extensions.
|
|
|
|
|
|
|
|
|
|
- `default_critical_options` `(map<string|string>: "")` – Specifies a map of
|
|
|
|
|
critical options certificates should have if none are provided when signing.
|
|
|
|
|
This field takes in key value pairs in JSON format. Note that these are not
|
|
|
|
|
restricted by `allowed_critical_options`. Defaults to none.
|
|
|
|
|
|
|
|
|
|
- `default_extensions` `(map<string|string>: "")` – Specifies a map of
|
|
|
|
|
extensions certificates should have if none are provided when signing. This
|
|
|
|
|
field takes in key value pairs in JSON format. Note that these are not
|
|
|
|
|
restricted by `allowed_extensions`. Defaults to none.
|
|
|
|
|
|
|
|
|
|
- `allow_user_certificates` `(bool: false)` – Specifies if certificates are
|
|
|
|
|
allowed to be signed for use as a 'user'.
|
|
|
|
|
|
|
|
|
|
- `allow_host_certificates` `(bool: false)` – Specifies if certificates are
|
|
|
|
|
allowed to be signed for use as a 'host'.
|
|
|
|
|
|
|
|
|
|
- `allow_bare_domains` `(bool: false)` – Specifies if host certificates that are
|
|
|
|
|
requested are allowed to use the base domains listed in "allowed_users", e.g.
|
|
|
|
|
"example.com". This is a separate option as in some cases this can be
|
|
|
|
|
considered a security threat.
|
|
|
|
|
|
|
|
|
|
- `allow_subdomains` `(bool: false)` – Specifies if host certificates that are
|
|
|
|
|
requested are allowed to use subdomains of those listed in "allowed_users".
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"key_type": "otp"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/roles/my-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Role
|
|
|
|
|
|
|
|
|
|
This endpoint queries a named role.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/ssh/roles/:name` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to read. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
https://vault.rocks/v1/ssh/roles/my-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
For a dynamic key role:
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"admin_user": "username",
|
|
|
|
|
"cidr_list": "x.x.x.x/y",
|
|
|
|
|
"default_user": "username",
|
|
|
|
|
"key": "<key name>",
|
|
|
|
|
"key_type": "dynamic",
|
|
|
|
|
"port": 22
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
For an OTP role:
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"cidr_list": "x.x.x.x/y",
|
|
|
|
|
"default_user": "username",
|
|
|
|
|
"key_type": "otp",
|
|
|
|
|
"port": 22
|
|
|
|
|
}
|
|
|
|
|
```
|
2017-03-16 08:04:02 +00:00
|
|
|
|
|
|
|
|
|
For a CA role:
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"allow_bare_domains": false,
|
|
|
|
|
"allow_host_certificates": true,
|
|
|
|
|
"allow_subdomains": false,
|
|
|
|
|
"allow_user_certificates": true,
|
|
|
|
|
"allowed_critical_options": "",
|
|
|
|
|
"allowed_extensions": "",
|
|
|
|
|
"default_critical_options": {},
|
|
|
|
|
"default_extensions": {},
|
|
|
|
|
"max_ttl": "768h",
|
|
|
|
|
"ttl": "4h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## List Roles
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
This endpoint returns a list of available roles. Only the role names are
|
|
|
|
|
returned, not any values.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `LIST` | `/ssh/roles` | `200 application/json` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Sample Request
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
https://vault.rocks/v1/ssh/roles
|
|
|
|
|
```
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Sample Response
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"auth": null,
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": ["dev", "prod"]
|
|
|
|
|
},
|
|
|
|
|
"lease_duration": 2764800,
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false
|
|
|
|
|
}
|
|
|
|
|
```
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## Delete Role
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
This endpoint deletes a named role.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `DELETE` | `/ssh/roles/:name` | `204 (empty body)` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Parameters
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to delete. This
|
|
|
|
|
is part of the request URL.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Sample Request
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/roles/my-role
|
|
|
|
|
```
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## List Zero-Address Roles
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
This endpoint returns the list of configured zero-address roles.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/ssh/config/zeroaddress` | `200 application/json` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Sample Request
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
https://vault.rocks/v1/ssh/config/zeroaddress
|
|
|
|
|
```
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Sample Response
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id":"",
|
|
|
|
|
"renewable":false,
|
|
|
|
|
"lease_duration":0,
|
|
|
|
|
"data":{
|
|
|
|
|
"roles":[
|
|
|
|
|
"otp_key_role"
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"warnings":null,
|
|
|
|
|
"auth":null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## Configure Zero-Address Roles
|
|
|
|
|
|
|
|
|
|
This endpoint configures zero-address roles.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/config/zeroaddress` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `roles` `(string: <required>)` – Specifies a string containing comma separated
|
|
|
|
|
list of role names which allows credentials to be requested for any IP
|
|
|
|
|
address. CIDR blocks previously registered under these roles will be ignored.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"roles": ["otp_key_role"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/config/zeroaddress
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Zero-Address Role
|
|
|
|
|
|
|
|
|
|
This endpoint deletes the zero-address roles configuration.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `DELETE` | `/ssh/config/zeroaddress` | `204 (empty body)` |
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
https://vault.rocks/v1/ssh/config/zeroaddress
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate SSH Credentials
|
|
|
|
|
|
|
|
|
|
This endpoint creates credentials for a specific username and IP with the
|
|
|
|
|
parameters defined in the given role.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/creds/:name` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to create
|
|
|
|
|
credentials against. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `username` `(string: "")` – Specifies the username on the remote host.
|
|
|
|
|
|
|
|
|
|
- `ip` `(string: <required>)` – Specifies the IP of the remote host.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"ip": "1.2.3.4"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/creds/my-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
For a dynamic key role:
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
2017-03-16 08:04:02 +00:00
|
|
|
|
"admin_user": "rajanadar",
|
|
|
|
|
"allowed_users": "",
|
|
|
|
|
"cidr_list": "x.x.x.x/y",
|
|
|
|
|
"default_user": "rajanadar",
|
|
|
|
|
"exclude_cidr_list": "x.x.x.x/y",
|
|
|
|
|
"install_script": "pretty_large_script",
|
|
|
|
|
"key": "5d9ee6a1-c787-47a9-9738-da243f4f69bf",
|
|
|
|
|
"key_bits": 1024,
|
|
|
|
|
"key_option_specs": "",
|
|
|
|
|
"key_type": "dynamic",
|
|
|
|
|
"port": 22
|
|
|
|
|
},
|
2017-03-09 02:47:35 +00:00
|
|
|
|
"warnings": null,
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
For an OTP role:
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "sshs/creds/c3c2e60c-5a48-415a-9d5a-a41e0e6cdec5/3ee6ad28-383f-d482-2427-70498eba4d96",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 2764800,
|
|
|
|
|
"data": {
|
2017-03-16 08:04:02 +00:00
|
|
|
|
"ip": "127.0.0.1",
|
|
|
|
|
"key": "6d6411fd-f622-ea0a-7e2c-989a745cbbb2",
|
|
|
|
|
"key_type": "otp",
|
|
|
|
|
"port": 22,
|
|
|
|
|
"username": "rajanadar"
|
|
|
|
|
},
|
2017-03-09 02:47:35 +00:00
|
|
|
|
"warnings": null,
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## List Roles by IP
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
This endpoint lists all of the roles with which the given IP is associated.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/lookup` | `200 application/json` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Parameters
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
- `ip` `(string: <required>)` – Specifies the IP of the remote host.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Sample Payload
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"ip": "1.2.3.4"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/lookup
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
An array of roles as a secret structure.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
2017-03-16 08:04:02 +00:00
|
|
|
|
"roles": [
|
|
|
|
|
"fe6f61b7-7e4a-46a6-b2c8-0d530b8513df",
|
|
|
|
|
"6d6411fd-f622-ea0a-7e2c-989a745cbbb2"
|
|
|
|
|
]
|
|
|
|
|
},
|
2017-03-09 02:47:35 +00:00
|
|
|
|
"warnings": null,
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## Verify SSH OTP
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
This endpoint verifies if the given OTP is valid. This is an unauthenticated
|
|
|
|
|
endpoint.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/verify` | `200 application/json` |
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## Parameters
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
- `otp` `(string: <required>)` – Specifies the One-Time-Key that needs to be
|
|
|
|
|
validated.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"otp": "bad2b3-..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/verify
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id":"",
|
|
|
|
|
"renewable":false,
|
|
|
|
|
"lease_duration":0,
|
2017-03-16 08:04:02 +00:00
|
|
|
|
"data": {
|
|
|
|
|
"ip":"127.0.0.1",
|
|
|
|
|
"username":"rajanadar"
|
|
|
|
|
},
|
2017-03-09 02:47:35 +00:00
|
|
|
|
"warnings":null,
|
|
|
|
|
"auth":null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 08:04:02 +00:00
|
|
|
|
## Submit CA Information
|
|
|
|
|
|
|
|
|
|
This endpoint allows submitting the CA information for the backend via an SSH
|
|
|
|
|
key pair. _If you have already set a certificate and key, they will be
|
|
|
|
|
overridden._
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/config/ca` | `200/204 application/json` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `private_key` `(string: "")` – Specifies the private key part the SSH CA key
|
|
|
|
|
pair; required if `generate_signing_key` is false.
|
|
|
|
|
|
|
|
|
|
- `public_key` `(string: "")` – Specifies the public key part of the SSH CA key
|
|
|
|
|
pair; required if `generate_signing_key` is false.
|
|
|
|
|
|
|
|
|
|
- `generate_signing_key` `(bool: false)` – Specifies if Vault should generate
|
|
|
|
|
the signing key pair internally. The generated public key will be returned so
|
|
|
|
|
you can add it to your configuration.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"generate_signing_key": true
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/config/ca
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
This will return a `204` response if `generate_signing_key` was unset or false.
|
|
|
|
|
|
|
|
|
|
This will return a `200` response if `generate_signing_key` was true:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"public_key": "ssh-rsa AAAAHHNzaC1y...\n"
|
|
|
|
|
},
|
|
|
|
|
"warnings": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Public Key
|
|
|
|
|
|
|
|
|
|
This endpoint reads the configured/generated public key.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `GET` | `/ssh/config/ca` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
https://vault.rocks/v1/ssh/config/ca
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"public_key": "ssh-rsa AAAAHHNzaC1y...\n"
|
|
|
|
|
},
|
|
|
|
|
"warnings": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Sigh SSH Key
|
|
|
|
|
|
|
|
|
|
This endpoint signs an SSH public key based on the supplied parameters, subject
|
|
|
|
|
to the restrictions contained in the role named in the endpoint.
|
|
|
|
|
|
|
|
|
|
| Method | Path | Produces |
|
|
|
|
|
| :------- | :--------------------------- | :--------------------- |
|
|
|
|
|
| `POST` | `/ssh/sign/:name` | `200 application/json` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to sign. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `public_key` `(string: <required>)` – Specifies the SSH public key that should
|
|
|
|
|
be signed.
|
|
|
|
|
|
|
|
|
|
- `ttl` `(string: "")` – Specifies the Requested Time To Live. Cannot be greater
|
|
|
|
|
than the role's `max_ttl` value. If not provided, the role's `ttl` value will
|
|
|
|
|
be used. Note that the role values default to system values if not explicitly
|
|
|
|
|
set.
|
|
|
|
|
|
|
|
|
|
- `vauld_principals` `(string: "")` – Specifies valid principals, either
|
|
|
|
|
usernames or hostnames, that the certificate should be signed for.
|
|
|
|
|
|
|
|
|
|
- `cert_type` `(string: "user")` – Specifies the type of certificate to be
|
|
|
|
|
created; either "user" or "host".
|
|
|
|
|
|
|
|
|
|
- `key_id` `(string: "")` – Specifies the key id that the created certificate
|
|
|
|
|
should have. If not specified, the display name of the token will be used.
|
|
|
|
|
|
|
|
|
|
- `critical_options` `(map<string|string>: "")` – Specifies a map of the
|
|
|
|
|
critical options that the certificate should be signed for. Defaults to none.
|
|
|
|
|
|
|
|
|
|
- `extension` `(map<string|string>: "")` – Specifies a map of the extensions
|
|
|
|
|
that the certificate should be signed for. Defaults to none.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"public_key": "ssh-rsa ..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://vault.rocks/v1/ssh/sign/my-key
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "ssh/sign/example/097bf207-96dd-0041-0e83-b23bd1923993",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"serial_number": "f65ed2fd21443d5c",
|
|
|
|
|
"signed_key": "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...\n"
|
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|