Merge pull request #3166 from hashicorp/sethvargo/ssh_ca_expanse
Refactor SSH CA backend docs
This commit is contained in:
commit
4beb12fc88
|
@ -12,195 +12,326 @@ description: |-
|
|||
# Signed SSH Certificates
|
||||
|
||||
The signed SSH certificates is the simplest and most powerful in terms of setup
|
||||
complexity and in terms of being platform agnostic.
|
||||
complexity and in terms of being platform agnostic. By leveraging Vault's
|
||||
powerful CA capabilities and functionality built into OpenSSH, clients can SSH
|
||||
into target hosts using their own local SSH keys.
|
||||
|
||||
When using this type, an SSH CA signing key is generated or configured at the
|
||||
backend's mount. This key will be used to sign other SSH keys. The private half
|
||||
of the signing key always stays within Vault and the public half is exposed via
|
||||
the API. Each mount of this backend represents a unique signing key pair. It is
|
||||
recommended that the host keys and client keys are signed using different mounts
|
||||
of this backend.
|
||||
In this section, the term "**client**" refers to the person or machine
|
||||
performing the SSH operation. The "**host**" refers to the target machine. If
|
||||
this is confusing, substitute "client" with "user".
|
||||
|
||||
This page will show a quick start for this backend. For detailed documentation
|
||||
on every path, use `vault path-help` after mounting the backend.
|
||||
|
||||
### Mount a backend's instance for signing host keys
|
||||
## Client Key Signing
|
||||
|
||||
```text
|
||||
vault mount -path ssh-host-signer ssh
|
||||
Successfully mounted 'ssh' at 'ssh-host-signer'!
|
||||
```
|
||||
Before a client can request their SSH key be signed, the Vault SSH backend must
|
||||
be configured. Usually a Vault administrator or security team performs these
|
||||
steps. It is also possible to automate these actions using a configuration
|
||||
management tool like Chef, Puppet, Ansible, or Salt.
|
||||
|
||||
### Mount a backend's instance for signing client keys
|
||||
### Signing Key & Role Configuration
|
||||
|
||||
```text
|
||||
vault mount -path ssh-client-signer ssh
|
||||
Successfully mounted 'ssh' at 'ssh-client-signer'!
|
||||
```
|
||||
The following steps are performed in advance by a Vault administrator, security
|
||||
team, or configuration management tooling.
|
||||
|
||||
### Configure the host CA certificate
|
||||
1. Mount the backend. Like all secret backends in Vault, the SSH secret backend
|
||||
must be mounted before use.
|
||||
|
||||
```text
|
||||
vault write -f ssh-host-signer/config/ca
|
||||
Key Value
|
||||
--- -----
|
||||
public_key ssh-rsa
|
||||
AAAAB3NzaC1yc2EAAAADAQABAAACAQDB7lbQ4ub8/7AbfnF4zntCxPGijXzdo50MrUz0I1Vz/n98pBPyrUEcNqFeCr6Qs9kRL8J8Bu48W/DtSxAiScIIlzyezulH+wxdZnCN3sxDUhFbTUosWstSt6P5BZbJsMTpfHfuYbOexewX9ljw636fUrRtU3/0Emq2FkOcKEv9v7z+Qwdaom+8R6CvRA0Kit0yyh6DXD+IjPnOmhYFoNH6ZhPU2xJ+7M16vLpCmH6OO1krHlDK+ZUvVKD2ZjfmbegoYEV/9FETSzVnQ/pOrP0SdwpmGhei7VO7hQwa6zOWIah66TYYdaIopHFha60rZPybliZFAi/CcUO7NYldq7Q2ty68RKp+Im2ROPbXLKYc2N+PThWwbxA1yQ7shvgSy/JEbAcYQuDLGn6tA6n5sXpvFcJe+vlf75w+laXIPUXTVHr2g1O5Irzwunpg03Pa+Kab8Hp8uq61XfTfNtCwHYr/K5YO27rHcpMA/gBKkOFmBbcI3VlUbi266HiyFANz0JMObzXS5hEGm90NevMD2nEFvZHYHx4hXRtoox7Bh4CCj2fUPaThnuTvv1hLBgryWxwDXL7OwHGx6wd/dpXo/1fG1DRUotfVcJP7k7FG9MUAB6tOR2RCuXEaTF6bv3tCpbsdzzzyhs/aIa6IeYRV4HUo3nW5g/IRT+6F/MLd63Cq5w==
|
||||
```
|
||||
```text
|
||||
$ vault mount -path=ssh-client-signer ssh
|
||||
Successfully mounted 'ssh' at 'ssh-client-signer'!
|
||||
```
|
||||
|
||||
The returned host CA public key should be added to `known_hosts` file in all
|
||||
client machines with a `@cert-authority <domain>` prefix, where `<domain>` can
|
||||
be any value (single host, wildcard domain, wildcard) SSH accepts to define
|
||||
hosts (e.g. `@cert-authority *.example.com ssh-rsa AAAA...`). This public key
|
||||
can also be retrieved using `vault read ssh-host-signer/config/ca`.
|
||||
This mounts the SSH backend at the path "ssh-client-signer". It is possible
|
||||
to mount the same secret backend multiple times using different `-path`
|
||||
arguments. The name "ssh-client-signer" is not special - it can be any name,
|
||||
but this documentation will assume "ssh-client-signer".
|
||||
|
||||
### Configure the client CA certificate
|
||||
1. Configure Vault with a CA for signing client keys using the `/config/ca`
|
||||
endpoint. If you do not have an internal CA, Vault can generate a keypair for
|
||||
you.
|
||||
|
||||
```text
|
||||
vault write -f ssh-client-signer/config/ca
|
||||
Key Value
|
||||
--- -----
|
||||
public_key ssh-rsa
|
||||
AAAAB3NzaC1yc2EAAAADAQABAAACAQDoYiTm0QrK+NGkv8H/Sq1Q9l2PQwxY1ROSPpRqOoFAgCM7vtEZSGchm8j3/Da6Vj84sUg+09N+dwMZ6z3HG57dBWyfHGCbEt+fIJtRcCV7KkQ4xktBdapq5PychBg0bYIP0+JWXe7yOAR6s+DWJgUUHwmYiY0GlrzoztvtYcU/pvj4zWY/EWcCAYRiZThqJOJ9rDzhEzmVHVYelZ8dlehKZsUOQ3dY5fCHgWJ5/IKSfGUI1w1h/3ENAToBKInbW2J/Wy0mbsfUJhha84zgqSeHd4gZ9YqaSpzYffVvDz6Ud+KtPWt4ejJDyvJVFAVnVIvVUCkuXVefBlC10Ww6l52DXex/rdxQW+46ZNV5zlFOUi4VWFPT6bOlIEj1hgHG0cfFKARQXcVlp03xTi5DRJp3jlBf/QLeUy4kZEFUdQl+gkVLwySrOh+1kHwE15JQWpNHxfxWzYnNnjokT2RCW2ANO4Y8vfMPCVM5OKSVNISHm3UurNkJNTAomK/ElnXQgP23UcVgbF3mNRBPx9U3/+9HHkXcqDefSI7XBC7npIBFdetCxFt3nW/cX4l1zfq6ZExCVde+/40V1U+TOoLZVLIZZzEuA40J4H99oK7QN5/MtCGaSr7kgAx+7ymfSY37rXB6wOVi5HTBlhyh+VFGU+Wmy+q5sxfr6+ZLGwoGpvNh0Q==
|
||||
```
|
||||
```text
|
||||
$ vault write ssh-client-signer/config/ca generate_signing_key=true
|
||||
Key Value
|
||||
--- -----
|
||||
public_key ssh-rsa AAAAB3NzaC1yc2EA...
|
||||
```
|
||||
|
||||
The returned client CA public key should be saved in a file that is added to
|
||||
the `TrustedUserCAKeys` list in the `sshd_config` file on the host machine:
|
||||
If you already have a keypair, specify the public and private key parts as
|
||||
part of the payload:
|
||||
|
||||
```text
|
||||
cat /etc/ssh/sshd_config
|
||||
...
|
||||
...
|
||||
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
|
||||
```
|
||||
```text
|
||||
$ vault write ssh-client-signer/config/ca \
|
||||
private_key="..." \
|
||||
public_key="..."
|
||||
```
|
||||
|
||||
The client CA public key can also be retrieved later using `vault read
|
||||
ssh-client-signer/config/ca`.
|
||||
Regardless of whether it is generated or uploaded, the client signer public
|
||||
key is accessible via the API at the `/public_key` endpoint.
|
||||
|
||||
### Allow host certificate to have longer TTLs
|
||||
1. Add the public key to all target host's SSH configuration. This process can
|
||||
be manual or automated using a configuration management tool. The public key is
|
||||
accessible via the API and does not require authentication.
|
||||
|
||||
```text
|
||||
vault mount-tune -max-lease-ttl=87600h ssh-host-signer
|
||||
Successfully tuned mount 'ssh-host-signer'!
|
||||
```
|
||||
```text
|
||||
$ curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.rocks/v1/ssh-client-signer/public_key
|
||||
```
|
||||
|
||||
### Create a role to sign host keys
|
||||
```text
|
||||
$ vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
|
||||
```
|
||||
|
||||
You'll want to add in some allowed domains and either the `allow_subdomains`
|
||||
flag, the `allow_bare_domains` flag, or both.
|
||||
Add the path where the public key contents are stored to the SSH
|
||||
configuration file as the `TrustedUserCAKeys` option.
|
||||
|
||||
```text
|
||||
vault write ssh-host-signer/roles/hostrole ttl=87600h allow_host_certificates=true key_type=ca allowed_domains="localdomain,example.com" allow_subdomains=true
|
||||
Success! Data written to: ssh-host-signer/roles/hostrole
|
||||
```
|
||||
```text
|
||||
# /etc/ssh/sshd_config
|
||||
# ...
|
||||
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
|
||||
```
|
||||
|
||||
### Create a role to sign client keys
|
||||
Restart the SSH service to pick up the changes.
|
||||
|
||||
Because of the way that some SSH certificate features are implemented, some
|
||||
common options to this call must be passed in as a map. Vault's CLI does not
|
||||
currently have a native way to pass in map values, so the easiest way to do
|
||||
this is to create a JSON file and use it as the input. In the following example
|
||||
this is used to add the `permit-pty` extension to the certificate.
|
||||
1. Create a named Vault role for signing client keys.
|
||||
|
||||
```json
|
||||
{
|
||||
"allow_user_certificates": true,
|
||||
"allowed_users": "*",
|
||||
"default_extensions": [
|
||||
Because of the way some SSH certificate features are implemented, options
|
||||
are passed as a map. The following example adds the `permit-pty` extension
|
||||
to the certificate.
|
||||
|
||||
```text
|
||||
$ vault write ssh-client-signer/roles/my-role -<<"EOH"
|
||||
{
|
||||
"permit-pty": ""
|
||||
"allow_user_certificates": true,
|
||||
"allowed_users": "*",
|
||||
"default_extensions": [
|
||||
{
|
||||
"permit-pty": ""
|
||||
}
|
||||
],
|
||||
"key_type": "ca",
|
||||
"default_user": "ubuntu",
|
||||
"ttl": "30m0s"
|
||||
}
|
||||
],
|
||||
"key_type": "ca",
|
||||
"default_user": "icecream",
|
||||
"ttl": "30m0s"
|
||||
}
|
||||
```
|
||||
EOH
|
||||
```
|
||||
|
||||
### Client SSH Authentication
|
||||
|
||||
The following steps are performed by the client (user) that wants to
|
||||
authenticate to machines managed by Vault. These commands are usually run from
|
||||
the client's local workstation.
|
||||
|
||||
1. Locate or generate the SSH public key. Usually this is `~/.ssh/id_rsa.pub`.
|
||||
If you do not have an SSH keypair, generate one:
|
||||
|
||||
```text
|
||||
$ ssh-keygen -t rsa -C "user@example.com"
|
||||
```
|
||||
|
||||
1. Ask Vault to sign your **public key**. This file usually ends in `.pub` and
|
||||
the contents begin with `ssh-rsa ...`.
|
||||
|
||||
```text
|
||||
$ vault write ssh-client-signer/sign/my-role \
|
||||
public_key=@$HOME/.ssh/id_rsa.pub
|
||||
|
||||
Key Value
|
||||
--- -----
|
||||
serial_number c73f26d2340276aa
|
||||
signed_key ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1...
|
||||
```
|
||||
|
||||
The result will include the serial and the signed key. This signed key is
|
||||
another public key.
|
||||
|
||||
1. Save the resulting signed, public key to disk. Limit permissions as needed.
|
||||
|
||||
```text
|
||||
$ vault write -field=signed_key ssh-client-signer/sign/my-role \
|
||||
public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
|
||||
```
|
||||
|
||||
If you are saving the certificate directly beside your SSH keypair, suffix
|
||||
the name with `-cert.pub` (`~/.ssh/id_rsa-cert.pub`). With this naming
|
||||
scheme, OpenSSH will automatically use it during authentication.
|
||||
|
||||
1. (Optional) View enabled extensions, principals, and metadata of the signed
|
||||
key.
|
||||
|
||||
```text
|
||||
$ ssh-keygen -Lf ~/.ssh/signed-cert.pub
|
||||
```
|
||||
|
||||
1. SSH into the host machine using the signed key.
|
||||
|
||||
```text
|
||||
$ ssh -i signed-cert.pub username@10.0.23.5
|
||||
```
|
||||
|
||||
## Host Key Signing
|
||||
|
||||
For an added layers of security, we recommend enabling host key signing. This is
|
||||
used in conjunction with client key signing to provide an additional integrity
|
||||
layer. When enabled, the SSH agent will verify the target host is valid and
|
||||
trusted before attempting to SSH. This will reduce the probability of a user
|
||||
accidentally SSHing into an unmanaged or malicious machine.
|
||||
|
||||
### Signing Key Configuration
|
||||
|
||||
1. Mount the backend. For the most security, mount at a different path from the
|
||||
client signer.
|
||||
|
||||
```text
|
||||
$ vault mount -path=ssh-host-signer ssh
|
||||
Successfully mounted 'ssh' at 'ssh-host-signer'!
|
||||
```
|
||||
|
||||
1. Configure Vault with a CA for signing host keys using the `/config/ca`
|
||||
endpoint. If you do not have an internal CA, Vault can generate a keypair for
|
||||
you.
|
||||
|
||||
```text
|
||||
$ vault write ssh-host-signer/config/ca generate_signing_key=true
|
||||
Key Value
|
||||
--- -----
|
||||
public_key ssh-rsa AAAAB3NzaC1yc2EA...
|
||||
```
|
||||
|
||||
If you already have a keypair, specify the public and private key parts as
|
||||
part of the payload:
|
||||
|
||||
```text
|
||||
$ vault write ssh-host-signer/config/ca \
|
||||
private_key="..." \
|
||||
public_key="..."
|
||||
```
|
||||
|
||||
Regardless of whether it is generated or uploaded, the host signer public
|
||||
key is accessible via the API at the `/public_key` endpoint.
|
||||
|
||||
1. Extend host key certificate TTLs.
|
||||
|
||||
```text
|
||||
$ vault mount-tune -max-lease-ttl=87600h ssh-host-signer
|
||||
```
|
||||
|
||||
1. Create a role for signing host keys. Be sure to fill in the list of allowed
|
||||
domains, set `allow_bare_domains`, or both.
|
||||
|
||||
```text
|
||||
$ vault write ssh-host-signer/roles/hostrole \
|
||||
key_type=ca \
|
||||
ttl=87600h \
|
||||
allow_host_certificates=true \
|
||||
allowed_domains="localdomain,example.com" \
|
||||
allow_subdomains=true
|
||||
```
|
||||
|
||||
1. Sign the host's SSH public key.
|
||||
|
||||
```text
|
||||
$ vault write ssh-host-signer/sign/hostrole \
|
||||
cert_type=host \
|
||||
public_key=@/etc/ssh/ssh_host_rsa_key.pub
|
||||
Key Value
|
||||
--- -----
|
||||
serial_number 3746eb17371540d9
|
||||
signed_key ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1y...
|
||||
```
|
||||
|
||||
1. Set the resulting signed certificate as `HostCertificate` in the SSH
|
||||
configuration on the host machine.
|
||||
|
||||
```text
|
||||
$ vault write -field=signed_key ssh-host-signer/sign/hostrole \
|
||||
cert_type=host \
|
||||
public_key=@/etc/ssh/ssh_host_rsa_key.pub > /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
```
|
||||
|
||||
Set permissions on the certificate to be `0640`:
|
||||
|
||||
```text
|
||||
$ chmod 0640 /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
```
|
||||
|
||||
Add host key and host certificate to the SSH configuration file.
|
||||
|
||||
```text
|
||||
# /etc/ssh/sshd_config
|
||||
# ...
|
||||
|
||||
# For client keys
|
||||
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
|
||||
|
||||
# For host keys
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
```
|
||||
|
||||
Restart the SSH service to pick up the changes.
|
||||
|
||||
### Client-Side Host Verification
|
||||
|
||||
1. Retrieve the host signing CA public key to validate the host signature of
|
||||
target machines.
|
||||
|
||||
```text
|
||||
$ curl https://vault.rocks/v1/ssh-host-signer/public_key
|
||||
```
|
||||
|
||||
```text
|
||||
$ vault -field=public_key read ssh-host-signer/config/ca
|
||||
```
|
||||
|
||||
1. Add the resulting public key to the `known_hosts` file with authority.
|
||||
|
||||
```text
|
||||
# ~/.ssh/known_hosts
|
||||
@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAA...
|
||||
```
|
||||
|
||||
1. SSH into target machines as usual.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
When initially configuring this type of key signing, enable `VERBOSE` SSH
|
||||
logging to help annotate any errors in the log.
|
||||
|
||||
```text
|
||||
vault write ssh-client-signer/roles/clientrole @clientrole.json
|
||||
Success! Data written to: ssh-client-signer/roles/clientrole
|
||||
# /etc/ssh/sshd_config
|
||||
# ...
|
||||
LogLevel VERBOSE
|
||||
```
|
||||
|
||||
### Sign the host key
|
||||
Restart SSH after making these changes.
|
||||
|
||||
You can generate a new key, or you can sign one of the host keys that was
|
||||
autogenerated when SSH was first started up, e.g.
|
||||
`/etc/ssh/ssh_host_rsa_key.pub`.
|
||||
By default, SSH logs to `/var/log/auth.log`, but so do many other things. To
|
||||
extract just the SSH logs, use the following:
|
||||
|
||||
```text
|
||||
cat /etc/ssh/ssh_host_rsa_key.pub | vault write ssh-host-signer/sign/hostrole public_key=- cert_type=host
|
||||
Key Value
|
||||
--- -----
|
||||
serial_number 3746eb17371540d9
|
||||
signed_key ssh-rsa-cert-v01@openssh.com
|
||||
AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg1d4hqGnDjPvBFTGGDksRvaxkIrJ/cc0P4wVyk5A+NtUAAAADAQABAAABAQDKis3fESmPFS9cp7QYJRAsqvrM9w6GwHmrBp2DOUmTJ1szNDm0sbJGkmvMvmC0fbb4DkXbr8YPKk0srX8jRDCXLRtrZJs1jgDN/JVyJGR1pYwOItpeYSkoU42cjgRqEvdms30TvIEzsDhkhyOATTooi95J46GP6tczl5nPp2Zz7zVj8/yXechcM6GCs0x8epcK9UJfhpNvYrC3F7tnxbbLFkdM7AV0bTu1wND2rKTDeACbk3Xi5j9Ti4oQ0ma7aNOFrCO8gfiB4mBbAx4Y+j+FSDNuVWpQqkGBwqRp+E2hgGy4Ao+3zE89SwtnlziIgBwyecT7JTQ+X54Pn7ZBtK+BN0brFzcVQNkAAAACAAAATHZhdWx0LXRva2VuLTA0Mzk0M2MyZjFlYWNmNzBhOWQyNDhiZWE5Yzg0N2UzZDM5Yzc2ZTAyMmY5YzU3MzJkOTAyNDE1NzM2NzU4MWEAAAAAAAAAAFjPB8UAAAAAa5sK4wAAAAAAAAAAAAAAAAAAAhcAAAAHc3NoLXJzYQAAAAMBAAEAAAIBAMHuVtDi5vz/sBt+cXjOe0LE8aKNfN2jnQytTPQjVXP+f3ykE/KtQRw2oV4KvpCz2REvwnwG7jxb8O1LECJJwgiXPJ7O6Uf7DF1mcI3ezENSEVtNSixay1K3o/kFlsmwxOl8d+5hs57F7Bf2WPDrfp9StG1Tf/QSarYWQ5woS/2/vP5DB1qib7xHoK9EDQqK3TLKHoNcP4iM+c6aFgWg0fpmE9TbEn7szXq8ukKYfo47WSseUMr5lS9UoPZmN+Zt6ChgRX/0URNLNWdD+k6s/RJ3CmYaF6LtU7uFDBrrM5YhqHrpNhh1oiikcWFrrStk/JuWJkUCL8JxQ7s1iV2rtDa3LrxEqn4ibZE49tcsphzY349OFbBvEDXJDuyG+BLL8kRsBxhC4Msafq0Dqfmxem8Vwl76+V/vnD6Vpcg9RdNUevaDU7kivPC6emDTc9r4ppvweny6rrVd9N820LAdiv8rlg7busdykwD+AEqQ4WYFtwjdWVRuLbroeLIUA3PQkw5vNdLmEQab3Q168wPacQW9kdgfHiFdG2ijHsGHgIKPZ9Q9pOGe5O+/WEsGCvJbHANcvs7AcbHrB392lej/V8bUNFSi19Vwk/uTsUb0xQAHq05HZEK5cRpMXpu/e0Klux3PPPKGz9ohroh5hFXgdSjedbmD8hFP7oX8wt3rcKrnAAACDwAAAAdzc2gtcnNhAAACAHj5fKMW0KvWiVhZ0LQQUPLpBlgL3qeHic99x61mFGQdkgawhh5UjxsW/r3asPy3XI92QYHu6me8g3iTBqXTmM9u+CwCTnVkZD+pweRLqbC+w5FqfSi8qugOZWzQwa6dNkIMDOIx9CZD6Q1Mve6Bwpt4ziPdQNvZgjpAeYSyMgjpea6JBVP9SmLCv8efPnoTmPvSbMR2DQWXQz0+gi/dBzomc9UPOjSq6az10TIFcIxInNhZBlBo5Smk5403lZjLWxX/KvVVT/T19F/+2z5fPjMubYuZIvB0LbXSQmvcbFIaVX2MdOXkx1d4Iy4whmCqFHr/37WJz2FgaHsbI/R/EcC5maqLeyZzAq925g92QiNQ2bXqY2jeondkqPF3ZOVmKDC1hy1PjaVXuIhp6Wq5GEvXHjBNr8vk/WS0enaZvKRuY3h+cHqukQ3RhVIQ8kRq+wHdqytg4c2ijY7Qn9IAKUQb13cpWpH4VFRTAoVR3O5i4OwQ8BCZSQ3YgW4GK9lN29wKUc1rAb2d8gmIq5/lObs0FKpOXDgkF7jC2ilRodJkbLGRcPi2MEWLsSlXjC5p5iwwf9u02EmXzeTWL/R4HhH8j6Efdc9qobPymhFdbrNDhYnu4/TzqJtyIjuWdsMitfAxnJBYAN3xxPpL8lTvhw8gg7eXtbrmisPy69TdsXBf
|
||||
```sh
|
||||
$ tail -f /var/log/auth.log | grep --line-buffered "sshd"
|
||||
```
|
||||
|
||||
Set the signed certificate as `HostCertificate` in `sshd_config` on the host
|
||||
machine. In order to make things work more automagically (e.g. if you don't
|
||||
want to specifically pick the host key/cert) it's a good idea to call this
|
||||
`<key>-cert.pub`, e.g. `/etc/ssh/ssh_host_rsa_key-cert.pub`. It's also not a
|
||||
bad idea to specifically pick the `HostKey` that will be used:
|
||||
If you are unable to make a connection to the host, the SSH server logs may
|
||||
provide guidance and insights.
|
||||
|
||||
```text
|
||||
cat /etc/ssh/sshd_config
|
||||
...
|
||||
...
|
||||
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
```
|
||||
### Known Issues
|
||||
|
||||
It's also a good idea to make sure that the permissions on the
|
||||
`HostCertificate` file are `0640` (on most systems).
|
||||
- On SELinux-enforcing systems, you may need to adjust related types so that the
|
||||
SSH daemon is able to read it. For example, adjust the signed host certificate
|
||||
to be an `sshd_key_t` type.
|
||||
|
||||
- On some versions of SSH, you may get the following error:
|
||||
|
||||
### Sign the client key
|
||||
```text
|
||||
no separate private key for certificate
|
||||
```
|
||||
|
||||
This is any key you want to use, e.g. `~/.ssh/id_rsa.pub`:
|
||||
|
||||
```text
|
||||
cd ~/.ssh
|
||||
|
||||
cat id_rsa.pub | vault write ssh-client-signer/sign/clientrole public_key=-
|
||||
Key Value
|
||||
--- -----
|
||||
serial_number c73f26d2340276aa
|
||||
signed_key ssh-rsa-cert-v01@openssh.com
|
||||
AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgOe8Iw9mRWhAuDcOFT9hZwMhQK9VduKswcU8XBMA+NgcAAAADAQABAAABAQCyr86Eozv+j8GuBy1fw5NHfak6dvXoQ6/YycbGG/X3o9/d6Xqu2Xd5dVijUvtyym1SgeORwtOXgtwGOFbjWMWBPDupeuRoJx5ww3JRv8jBkaA7JZXhaiSIy3rHwmJNmaLgD/vvqPJEp/E1YnmURbTK2RojnQt9uRI5QMgzg5M/J6ndcv8tbzThSE5NrfIM2AzHt8Ti32I7DhZfuo0goEPbZ7wNUO1u/94itJQ7G/WrUBiTYu5HErMXPrFxhX26IpMTx4d2PkJSzLsImpSGTSuo65tvpSzZgktytCkKi/wRZvNtsABGAm5uKpo+U9t/p0rWDIXyS4RF8knjx6I7QJdhxz8m0jQCdqoAAAABAAAATHZhdWx0LXRva2VuLTE2YmE5ODZkZmM3NTcwZDdhMzA5NDhjMDNiMDA5MTQ2M2JiNmM4OTQ3OTY4ZjcyNzY2MTAzMWJjYzg0ZDhiY2QAAAAAAAAAAFjPB+QAAAAAWM8JLgAAAAAAAAAAAAAAAAAAAhcAAAAHc3NoLXJzYQAAAAMBAAEAAAIBAOhiJObRCsr40aS/wf9KrVD2XY9DDFjVE5I+lGo6gUCAIzu+0RlIZyGbyPf8NrpWPzixSD7T0353AxnrPccbnt0FbJ8cYJsS358gm1FwJXsqRDjGS0F1qmrk/JyEGDRtgg/T4lZd7vI4BHqz4NYmBRQfCZiJjQaWvOjO2+1hxT+m+PjNZj8RZwIBhGJlOGok4n2sPOETOZUdVh6Vnx2V6EpmxQ5Dd1jl8IeBYnn8gpJ8ZQjXDWH/cQ0BOgEoidtbYn9bLSZux9QmGFrzjOCpJ4d3iBn1ippKnNh99W8PPpR34q09a3h6MkPK8lUUBWdUi9VQKS5dV58GULXRbDqXnYNd7H+t3FBb7jpk1XnOUU5SLhVYU9Pps6UgSPWGAcbRx8UoBFBdxWWnTfFOLkNEmneOUF/9At5TLiRkQVR1CX6CRUvDJKs6H7WQfATXklBak0fF/FbNic2eOiRPZEJbYA07hjy98w8JUzk4pJU0hIebdS6s2Qk1MCiYr8SWddCA/bdRxWBsXeY1EE/H1Tf/70ceRdyoN59IjtcELuekgEV160LEW3edb9xfiXXN+rpkTEJV177/jRXVT5M6gtlUshlnMS4DjQngf32grtA3n8y0IZpKvuSADH7vKZ9JjfutcHrA5WLkdMGWHKH5UUZT5abL6rmzF+vr5ksbCgam82HRAAACDwAAAAdzc2gtcnNhAAACACTZP18SBmhBw/FNXgJPZ9heJJbeZHhADfqtVSfIRO5zJHxTQko/uWh1IrpdPu+cRRjHmYJvxvzwvPdTej15gTkbe/2I5lHd7owVxpn98W5dDNGpTNwg+XUMNW19YGno97L4QeacYdI1P4OeklPotGboLEiNzPECZqAjt9g/THEkIR2Xy4knGby/UTXVYboVKwZKdeJhTyG2yhxvMAfFpbLJQW2PLpMHBryCLIiN/CYOZO9t0g2oIGWDoq8oW9rG01G3z2+KjtsJAgPsXRR5e77e/UriZtaSFwJ+LdKlLSi9p2W3gNxC/Vj82LflrdcNDRR9FtRRop7MeTdeWIAy+91GayM/teVNxPuDB0N5Qfuv4IIws3aPlnXcQb17rqg28Nx6v1alzcgiePF8jDlDuVKMraHwKsaG6OT6rXPixbPJiPko4bqPFMBoQ0S2mbZDCNnXZJs1T+IdrV49aAa+WZHzSIgnNRpgooeOfKyEKeZDs4vnrinGhaMGD9Vz8vaut3drEE5BkEaOysNrrPQRWwM1XOeeg13rGHmUc0VAJCH14R16HVZgD12Ef42Bcx7K5Eo7h1uZ8ghf1eOiZHkGFafU96fVF3m4lKotJU3PZrIElOUvMMn0YXtevDDge1ToEammABnn5lFUMsb+3jfyYQypYUkiKN17ANyOLg1fJQMd
|
||||
```
|
||||
|
||||
Save the signed key in a file (make sure you set the permissions to only be
|
||||
writeable by the owner); if you're saving it along with your public/private key
|
||||
(e.g. `~/.ssh/id_rsa(.pub)`), saving it with `-cert.pub` (e.g.
|
||||
`~/.ssh/id_rsa-cert.pub`) allows SSH to automatically discover it. Otherwise,
|
||||
you can tell the SSH client where to find it (and the associated private key)
|
||||
by using `-i` such as `ssh -i ~/.ssh/id_rsa -i my-signed-cert.pub localhost`.
|
||||
|
||||
If you want to see the configured extensions, principals, etc., you can use the
|
||||
`-L` flag to `ssh-keygen`, e.g. `ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub`.
|
||||
|
||||
### SSH into the host machine
|
||||
|
||||
```text
|
||||
ssh -i signed-client-cert.pub username@<IP of remote host>
|
||||
username@<IP of remote host>:~$
|
||||
```
|
||||
|
||||
### Troubleshooting
|
||||
|
||||
If you are not able to successfully make a client connection, looking at SSH server logs is likely to be your best bet. Some known potential issues:
|
||||
|
||||
* If on an SELinux-enforcing system, you may need to adjust related types so
|
||||
that the SSH daemon is able to read it, for instance by adjusting the signed
|
||||
host certificate to be an `sshd_key_t` type.
|
||||
* If you encounter an error on the client indicating `"no separate private key
|
||||
for certificate"` you may be hitting a bug introduced into OpenSSH version
|
||||
7.2 and fixed in 7.5. See [OpenSSH bug
|
||||
2617](https://bugzilla.mindrot.org/show_bug.cgi?id=2617) for details. If you
|
||||
are able to find a workaround without patching OpenSSH, please submit a PR to
|
||||
update this documentation!
|
||||
This is a bug introduced in OpenSSH version 7.2 and fixed in 7.5. See
|
||||
[OpenSSH bug 2617](https://bugzilla.mindrot.org/show_bug.cgi?id=2617) for
|
||||
details.
|
||||
|
||||
## API
|
||||
|
||||
|
|
Loading…
Reference in a new issue