luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Docs: SSH CA Config & Comments. Resolves: #7529 (#16826) 

* Docs: SSH CA Config & Comments. Resolves: #7529

* Docs: SSH CA Config & Comments. Added changelog note.

* Docs: SSH CA Config & Comments.

* Docs: SSH CA Config & Comments. Cipher feedback.

* Docs: SSH CA Config & Comments. Removed changelog file not needed for docs.
This commit is contained in:
aphorise 2022-08-24 14:27:36 +02:00 committed by GitHub
parent 483886f227
commit d0eb5b9cfc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
website/content/docs/secrets/ssh/signed-ssh-certificates.mdx
View File

@ -466,6 +466,50 @@ forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
}
```
### Key Comments
There are additional steps needed to preserve [comment attributes](https://www.rfc-editor.org/rfc/rfc4716#section-3.3.2)
in keys which ought to be considered if they are required. Private and public
key may have comments applied to them and for example where `ssh-keygen` is used
with its `-C` parameter - similar to:
```shell-session
ssh-keygen -C "...Comments" -N "" -t rsa -b 4096 -f host-ca
```
Adapted key values containing comments must be provided with the key related
parameters as per the Vault CLI and API steps demonstrated below.
```shell-extension
# Using CLI:
vault secrets enable -path=hosts-ca ssh
KEY_PRI=$(cat ~/.ssh/id_rsa | sed -z 's/\n/\\n/g')
KEY_PUB=$(cat ~/.ssh/id_rsa.pub | sed -z 's/\n/\\n/g')
# Create / Update keypair in Vault
vault write ssh-client-signer/config/ca \
generate_signing_key=false \
private_key="${KEY_PRI}" \
public_key="${KEY_PUB}"
```
```shell-extension
# Using API:
curl -X POST -H "X-Vault-Token: ..." -d '{"type":"ssh"}' http://127.0.0.1:8200/v1/sys/mounts/hosts-ca
KEY_PRI=$(cat ~/.ssh/id_rsa | sed -z 's/\n/\\n/g')
KEY_PUB=$(cat ~/.ssh/id_rsa.pub | sed -z 's/\n/\\n/g')
tee payload.json <<EOF
{
"generate_signing_key" : false,
"private_key" : "${KEY_PRI}",
"public_key" : "${KEY_PUB}"
}
EOF
# Create / Update keypair in Vault
curl -X POST -H "X-Vault-Token: ..." -d @payload.json http://127.0.0.1:8200/v1/hosts-ca/config/ca
```
~> **IMPORTANT:** Do NOT add a private key password since Vault can't decrypt it.
Destroy the keypair and `payload.json` from your hosts immediately after they have been confirmed as successfully uploaded.
### Known Issues
- On SELinux-enforcing systems, you may need to adjust related types so that the
SSH daemon is able to read it. For example, adjust the signed host certificate