open-vault/website/source/docs/secrets/ssh/index.html.md
2015-08-12 09:25:28 -07:00

5.6 KiB

layout page_title sidebar_current description
docs Secret Backend: SSH docs-secrets-ssh The SSH secret backend for Vault generates dynamic SSH keys or One-Time-Passwords.

SSH Secret Backend

Name: ssh

The SSH secret backend for Vault generates SSH credentials dynamically. This solves the problem of managing private keys of the infrastructure. There are 2 options available with this backend.

  1. Dynamic Type: Registering private keys (having root privileges) with Vault. Vault then issues leased dynamic credentials to Vault authenticated users. Vault uses the registered private key to install a new key for the user in the target host. This key will be a long lived key and gets deleted only after the lease is expired. After the user receiving the dynamic keys, Vault will have no control on the sessions created with that key and hence the sessions will not be audited. Which brings us to option 2.

  2. One-Time-Password (OTP) Type: Installing Vault-SSH agent in the target machines and enabling challenge response mechanism for client authentication. Vault server issues a OTP upon user request. During authentication, agent acts as a PAM module and validates the password with Vault server. Since Vault server is contacted for every SSH session establishment, they all get audited.

Quick Start

ssh backend is not mounted by default. So, the first step in using the SSH backend is to mount it.

$ vault mount ssh
Successfully mounted 'ssh' at 'ssh'!

Next, we must register infrastructures with Vault. This is done by writing the role information. The type of credentials created are determined by the key_type option.

Dynamic key type

Create a named key, say "dev_key", in Vault which represents a registered shared key.

$ vault write ssh/keys/dev_key key=@dev_shared_key.pem

Assuming that the target machine is hosted on Linux, create a script "key-linux-install.sh" that can install the given public key in the authorized keys file.

# This script file installs or uninstalls an RSA public key to/from authoried_keys
# file in a typical linux machine. This script should be registered with vault
# server while creating a role for key type 'dynamic'.

if [ $1 != "install" && $1 != "uninstall" ]; then
	exit 1
fi

# If the key being installed is already present in the authorized_keys file, it is
# removed and the result is stored in a temporary file.
grep -vFf $2 $3 > temp_$2

# Contents of temporary file will be the contents of authorized_keys file.
cat temp_$2 > $3

if [ $1 == "install" ]; then
# New public key is appended to authorized_keys file
cat $2 >> $3
fi

# Auxiliary files are deleted
rm -f $2 temp_$2

Create a role "dynamic_key_role". All the machines represented by CIDR block should be accessible through "dev_key" with root privileges.

$ vault write ssh/roles/dynamic_key_role key_type=dynamic key=dev_key admin_user=foo default_user=bar cidr=x.x.x.x/y install_script=@key-linux-install.sh

Create a dynamic key for an IP that belongs to the "dynamic_key_role".

$ vault write ssh/creds/dynamic_key_role ip=x.x.x.x
Key            	Value
lease_id       	ssh/creds/dynamic_key_role/862d55c9-e54e-917c-4c8f-f6e1a54b2e51
lease_duration 	600
lease_renewable	true
key_type       	dynamic
key            	-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArp4Y31kwSaIVcZ/geLCfhrbG4fpBXTTcPgefo/9YNUGCmbiC
pqHcW7TJ7wpLdWYTxEoD8fZJ5GKIYKvesGkiG2as6iBXrxYp+byZkZ8TmAbYyxhk
j5RN2Arxb7tWL/9FuLNrH0sa/xPX117mhKNdV1RquSNehqGvfC4Vd2Rl43tXyNpM
WSr787ERfAq4EqQfZC17QauUCy0DJwy5vP7t0QzIuCh9GZT+pFvXNJcEm4NkhJbh
jp+cU9JTEQW+Tw6BwDtGFhgSQd7KFd+7Asx4T8UfDb3461cRqLcAcfM1+Y18DNcP
chf3OP0qDJw2ovvGZ6X3f/+6GIttSttciqmF2QIDAQABAoIBACqVJ1+gMmRigHQ7
FtSXze9eN1X4X2RJdcQyu72UkYA7P4wZMNNN+Zzrk6sViZ1RjVR68EdbVl25oaRh
hWbj3ItuGJDn3jo2X3olghW/A1o5oTi19CAHfIxI7uPefYAq8me+aUsyV50Iy8Qb
wn9qD2MylOwdMfoHB/Jyko2RED/O9zBtlCz6qObFOimLNRKKNoK1gz0KctRQaV6j
2PHrnyF2OCuxFcEU9gOEW5rGlBxkhQbiBWYC8HXALgcpQ4FyF4MxnQuyGAQVQZh2
FhhuOBW0iiElK8U+WOwMTyZZBHhbszFF05CM8IsWvqJLkKuCmbHG2Mq0Irigo9gR
HfNDhnkCgYEAyKemyGv27bXjSEhudtBcP+EoTrfqhLjGNCO7J/LlBvUpDo4yjXq3
z3J+jPuzakfOfN27xBNODP1tWyIwZ45Aozoa3enuk/kFhNAJVkgFa7JEuoqBFgCH
pj51JXLtF6K+2JbpJfYNSGbVPHNfSvs4uJoWKXZt4QATbdt9gBvww1sCgYEA3sfv
v9to8vSyD1Du9kxyl6PjiXc+CNagYenUmoHJaRFupDBIoUH65XCuXwcJvloakIX4
XAwuHtkPJcFKGX0mh5btbwoOtz3nb4hp2LEY/T05Jam5bYfRJZop112Xc/MLUm0J
/oazn5p06kg/Z2SwrY+IAs7VMm6PT/6NZvt25dsCgYBOfJ2Vef29n88GgCaNXRUo
e4cLu48FWU1WKb/UcYM6hH0Jz39grebmQy/TL8VPRkUzvHvsx2xZUmwLIMV0TEVm
U50cvptu0BJjkAiG8mcEaFfP68twcsactYOXIWwyOZuTFvydt7AcaPTxz2Mv7jKS
qtsOXt++CgyPhTKDAOrdTwKBgE3JW+IOl0d1vxJv/PAM41olRFaERynI3vkxLyW/
uXaxOoOjxEhiBFvGi2vsxi8rwOjDjmN9cUEeIxbYtanOs/xV65OA3ICI4d1ksSiT
NZl+ngyThYZEDPfnK0Lij/ZRX5upLPstR1ysDrSbA2BznOkNG713QKO6TNnulKrn
lK1PAoGAfK2HtnHwiBQC2OobA84tlx6571zuTcoFl0FN74fDUIChh4YVzVXsYBcp
1PFYe3YpCpgNwjmX8uNBHWVL/m21c55C88QAExtfoUsQ3dAJvunpJ6MTGBoTDMWi
HRTKLBJUNd9V410xllz+uupFayoMJyfesULETjuT/UYXBoon46I=
-----END RSA PRIVATE KEY-----

Save the key to a file, say "dyn_key.pem", and then use it to establish an SSH session.

$ ssh -i dyn_key.pem username@ip
username@ip:~$

Creating new keys, saving it in a file and establishing an SSH session will all be done via a single Vault CLI.

$ vault ssh -role dynamic_key_role username@ip
username@ip:~$

OTP key type

Create a role "otp_key_role" of key type "otp". All the machines represented by CIDR block should have Vault SSH agent installed and challenge response mechanism enabled as detailed in https://github.com/hashicorp/vault-ssh-agent.

$ vault write ssh/roles/otp_key_role key_type=otp default_user=bar cidr=x.x.x.x/y

Create an OTP