Client configuration

I’m testing setting up signed SSH certs and had a general question about vault setup. As of now, I have a vault deployed via helm chart with a consul backend on a cluster setup with kubeadm. I’m currently exposing the UI through a nodeport on the cluster.

I’m at the point in the learn article to ask vault to sign your public key (step 2 at Signed SSH Certificates - SSH - Secrets Engines | Vault by HashiCorp), and I couldn’t find any good information on how to connect a machine to the vault server. Can someone point me to documentation on how to setup a client? I tried running vault server -config config.hcl where the config.hcl contained vault_addr = "http://node_port_address". When doing this, it returned the message that I needed to setup a backend. This error messages seems like it’s trying to setup a server, but I don’t think I need to do that. The step seems to assume that you’re connected to the vault server and it’s not clear how that’s done.

Thanks in advance.

Are you confusing SSH “certificate signing” and “SSH OTP”? One is a certificate PKI infrastructure, no connectivity needed. The other is a one-time-password generator that uses the vault client and does need connectivity.

You are correct you don’t need to setup another server, but since you ran vault server that’s what you told Vault to do! So, it tried and failed because the configuration file was mostly empty.

There’s very little setup needed.

You tell the client where your Vault server is located by setting the VAULT_ADDR environment variable to http://node_port_address, and you log in using one of various forms of vault login or vault write command, depending on which authentication methods you have configured in your Vault.

But, wouldn’t you have needed to do that already, to follow some of the earlier setup instructions on the page you linked to?

The documentation page linked to is about “certificate signing”, and not “SSH OTP”.

No, they are trying to establish the required connectivity from the client to the CA, in order to get their signed certificate.

It’s a distraction to bring up that this solution doesn’t require connectivity between Vault and the SSH server, when the issue at hand is getting the client to talk to Vault.

That makes sense. This seems like a relatively simple thing, but I went through the helm setup instead of setting this up on a linux so my assumption was that I missed something.

I have had to login. I believe the earlier steps could be run on the client or the vault server, so I ran these on the server and then copied those public keys to the new machine before restarting sshd.

I went through the steps you mentioned. Even after setting the VAULT_ADDR to the node port, when I type in vault login and try to login with a token, I get the following error:

Error authenticating: error looking up token: Get dial tcp connect: connection refused

It seems to still be looking at my localhost. Is there any additional setup that I need to do? I did download this using snap and am on version v.1.5.9 (cgo). Unsure if that has anything to do with this issue.

Thanks for pointing that out aram. I’ve looked into both and it seems like certificate signing is the better solution. It seems easier to setup and a better solution since the machine you are sshing doesn’t need to be connected to the vault server.

Did you set the VAULT_ADDR variable in your shell and forget to export it so it is visible to child processes?

The error you posted is consistent with not having set the variable at all.

Alternatively, you mention snap - personally I’ve always disliked snap as yet another layer of abstraction making things complicated, and therefore I have no idea if environment variables propagate normally to snap-encapsulated software. (I always uninstall snap immediately from every Ubuntu machine I own.)

Vault 1.5 is really rather ancient. Whilst I don’t expect it to be causing this particular issue, it is very much end of life and you should prefer a more modern version.

Vault can be installed simply by downloading and unzipping - the executable is a single standalone file that can be placed in /usr/local/bin/ or whereever else you prefer - this makes the advantages of snap particularly small, for Vault.

You can find the downloads at Vault Versions | HashiCorp Releases

That worked!

Concerning snap, I typically don’t use it, but it was the lazy, convenient option for this POC.

Thanks again for the help!

As a general setup, I agree. It makes it manageable and its simple to automate to install.

SSH-OTP is very good for managing access but most people don’t need that level of dynamic access requirement.