SSH setup

SSH CA

The signed SSH certificates is the simplest and most powerful in terms of setup complexity and in terms of being platform agnostic. By leveraging Vault’s powerful CA capabilities and functionality built into OpenSSH, clients can SSH into target hosts using their own local SSH keys.

Vault server

On vault server enable ssh engine + vault secrets enable -path=ssh-client-signer ssh

Generate ca ssh key pair + vault write ssh-client-signer/config/ca generate_signing_key=true

Extract public key pair + vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem + and save it to the disk.

Target nodes

Copy ca pub key

Copy above /etc/ssh/trusted-user-ca-keys.pem to each node where users need to login via SSH.

Update sshd_config

Update sshd_config with TrustedUserCAKeys param: +

# grep -C3 TrustedUserCAKeys /etc/ssh/sshd_config

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile	.ssh/authorized_keys
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
#AuthorizedPrincipalsFile %h/.ssh/authorized_principals

#AuthorizedPrincipalsFile none

Check if the param is updated via + sshd -T

Restart ssh server on target nodes + systemctl restart ssh

Vault server

Create role per user (e.g. ubuntu) for singing client keys

vault write ssh-client-signer/roles/my-role -<<"EOH"
{
  "allow_user_certificates": true,
  "allow_user_key_ids" :true,
  "allowed_users": "*",
  "default_extensions": [
    {
      "permit-pty": ""
    }
  ],
  "key_type": "ca",
  "default_user": "ubuntu",
  "ttl": "90m0s"
}
EOH

Client node ( workstation )

Ask vault to sign your public key

vault write ssh-client-signer/sign/my-role -<<"EOH"
{
  "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2LPepgZ/X8zEm8FRap/iY2UH0+Wq76Jh93DGpvKMDD+cijBfnRv6hwXeWqZiotjsIUKTzO+Q+tPGC9HvhPbeTxVyNfWOPmtuQD7FKtMs+dVBoN8qSIW+5GzADI5Lf4odvhbeHqpEr+BkUSEPLn6tS+M1575x70cCwW+H7rr413SLScy5mNH9T1TwDoGK0t4AjHSSpZCix1weOES+dDdD3j9afAahxw1RarBwbVlbo5FmlW5v4QcKoqGNbBMSgakmVD6OwXz+3hUOSgAuByR8krs0Xc6wNYb5gQWvvkABZjEVg0ccEOnPrBvc+cakoa74ROttUR9n58e/mEG6YGa65 [email protected]",
  "valid_principals": "root",
  "key_id": "custom-prefix",
  "extension": {
    "permit-pty": ""
  }
}
EOH

where valid_principals must match SSH_USERNAME on target SSH nodes. Save the result of above command on disk as ~/.ssh/id_rsa-cert.pub

[Optional] View enabled extensions,principals and metadata of the signed key.

ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub

Testing

Login to target SSH node while providing your private_key and signed_cert cert: + ssh -i ~/.ssh/id_rsa -i ~/.ssh/id_rsa-cert.pub SSH_USERNAME@host

where SSH_USERNAME must match valid_principals from signed_pub key

References

https://www.lorier.net/docs/ssh-ca.html
https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates/
https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/
https://www.vaultproject.io/api-docs/secret/ssh/