We are enable secret engine ssh to sign certificate ssh, and works fine from linux-2-linux
now we download the vault binary for windows and recreate the same steps to login using similar options from windows but still saying pubkey denied
the steps are:
download windows binary vault from site, extracted and
copied vault.exe in c:\Windows
open powershell window and typed
ssh-keygen -f keypairs -t rsa -b 4096
mv keypairs * .ssh/
env:VAULT_TOKEN=(vault login -token-only -method=ldap -path=ldap username=myADuser)
vault write -field=signed_key ssh-client-signer/sign/devops public_key=@./.ssh/keypairs .pub > ./.ssh/keypairs -signed.pub
everything was ok except this 2 things
.\.ssh\keypairs-signed.pub:1: invalid key: invalid format
and ssh firstname.lastname@example.org
Permission denied (publickey) i guess because the forma is invalid so… how can I fix this?
everything in internet explain how login using public key but no one explain or at least can’t found it yet after hours of reasearch how login using certificate signed from windows client to linux
I’m going to assume this is a shortcut for pasting as this isn’t going to give you the token. Login then run
vault print token in-line to get you the token.
Did you miss a “” in the “MyUser.ssh”? Or is that a copy-n-paste issue?
What does this file look like? How did you generate it?
Did you add the vault ssh key into the /etc/sshd/ configuration file?
thanks for answering
1- yes that link works and vault print token conferm i received.
2- maybe was error copy pasting the i fmiss “” between …MyUser\ssh… not MyUser.ssh
3- i generated following those steps from powershell.
i paste here a screenshot to can verify the steps
@aram from linux we can login using this way but we need to prepare a simple script for windows user to can login directly to use session with this certificate signed, so is just to fix the windows issue as client
The only thing I can think of is that PS is doing something weird with the \ and / and escaping something it shouldn’t. I did it in CMD and it worked just fine.
vault write command seems incorrect but no error so it maybe just a screen grab thing.
I don’t see you writing the key back? but that wouldn’t cause the error in the signed.pub … here are the steps I used:
CMD> ssh-keygen -t rsa -C "aram@windows" -f "id_rsa_signed"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_signed.
Your public key has been saved in id_rsa_signed.pub.
The key fingerprint is:
The key's randomart image is:
| .o.oo o..|
> vault write ssh-client-signer/sign/linux-access public_key=@id_rsa_signed.pub
signed_key email@example.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgF3G+zEd0jOvpCqPCpj3d6...
CMD> vault write -field=signed_key ssh-client-signer/sign/linux-access public_key=@id_rsa_signed.pub > signed-cert.pub
CMD>ssh-keygen -Lf signed-cert.pub
Type: firstname.lastname@example.org user certificate
Public key: RSA-CERT SHA256:RtzWwwB5Rd+rFzG1gQ/5XqnVnke4cUK+dHYeerh1gN8
Signing CA: RSA SHA256:4EFxgjjreovjohqY+60S6ZDrmTeodT77Rvr4L89ADec (using rsa-sha2-256)
Key ID: "vault-root-46dcd6c3007945dfab1731b5810ff95ea9d59e47b87142be74761e7ab87580df"
Valid: from 2022-04-28T05:25:46 to 2022-04-28T05:56:16
Critical Options: (none)
CMD> ssh -i signed-cert.pub -i id_rsa_signed awm@linux
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Apr 28 05:31:01 2022 from 10.32.44.12
MMMMMMMMMMMMMMMMMM OS: Red Hat Enterprise Linux 8.5 (Ootpa) x86_64
yup… i can confirm… the issue is powershell with CMD works… never think on that.
@aram just for information, i did a diff from both vault write… from powershell and cmd and the different can’t see a simple eye because is very similar the content, the different is powershell output on Windows UTF16 LE and from cmd output UTF8 Unix, that’s why the format from cmd is correct and linux can understand it. in any case thanks for the help