We are enable secret engine ssh to sign certificate ssh, and works fine from linux-2-linux
now we download the vault binary for windows and recreate the same steps to login using similar options from windows but still saying pubkey denied
the steps are:
download windows binary vault from site, extracted and
Host *
CertificateFile C:\Users\MyUser.ssh\keypairs-signed.pub
IdentityFile C:\Users\MyUser.ssh\keypairs
StrictHostKeyChecking no
everything was ok except this 2 things
.\.ssh\keypairs-signed.pub:1: invalid key: invalid format
and ssh devops@serverlinux.example.com Permission denied (publickey) i guess because the forma is invalid so… how can I fix this?
everything in internet explain how login using public key but no one explain or at least can’t found it yet after hours of reasearch how login using certificate signed from windows client to linux
I’m going to assume this is a shortcut for pasting as this isn’t going to give you the token. Login then run vault print token in-line to get you the token.
Did you miss a "" in the “MyUser.ssh”? Or is that a copy-n-paste issue?
What does this file look like? How did you generate it?
Did you add the vault ssh key into the /etc/sshd/ configuration file?
Hi @aram
thanks for answering
1- yes that link works and vault print token conferm i received.
2- maybe was error copy pasting the i fmiss “” between …MyUser\ssh… not MyUser.ssh
3- i generated following those steps from powershell.
i paste here a screenshot to can verify the steps
@aram from linux we can login using this way but we need to prepare a simple script for windows user to can login directly to use session with this certificate signed, so is just to fix the windows issue as client
The only thing I can think of is that PS is doing something weird with the \ and / and escaping something it shouldn’t. I did it in CMD and it worked just fine.
The vault write command seems incorrect but no error so it maybe just a screen grab thing.
I don’t see you writing the key back? but that wouldn’t cause the error in the signed.pub … here are the steps I used:
CMD> ssh-keygen -t rsa -C "aram@windows" -f "id_rsa_signed"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_signed.
Your public key has been saved in id_rsa_signed.pub.
The key fingerprint is:
SHA256:RtzWwwB5Rd+rFzG1gQ/6YznvNke4cUK+dHYeerh1gN8 aram@windows
The key's randomart image is:
+---[RSA 3072]----+
| .o.oo o..|
..
| |
+----[SHA256]-----+
> vault write ssh-client-signer/sign/linux-access public_key=@id_rsa_signed.pub
Key Value
--- -----
serial_number 6c4fc6ac71d5f81b
signed_key ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgF3G+zEd0jOvpCqPCpj3d6...
/qPPYaVd9PjpYH0C6Zng7S8r2NZaXSv4BVHKqhXcLxSw/WcBJZxu+GUwikHkJ2mw==
CMD> vault write -field=signed_key ssh-client-signer/sign/linux-access public_key=@id_rsa_signed.pub > signed-cert.pub
CMD>ssh-keygen -Lf signed-cert.pub
signed-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT SHA256:RtzWwwB5Rd+rFzG1gQ/5XqnVnke4cUK+dHYeerh1gN8
Signing CA: RSA SHA256:4EFxgjjreovjohqY+60S6ZDrmTeodT77Rvr4L89ADec (using rsa-sha2-256)
Key ID: "vault-root-46dcd6c3007945dfab1731b5810ff95ea9d59e47b87142be74761e7ab87580df"
Serial: 8386717593444493959
Valid: from 2022-04-28T05:25:46 to 2022-04-28T05:56:16
Principals:
ubuntu
Critical Options: (none)
Extensions:
permit-pty
CMD> ssh -i signed-cert.pub -i id_rsa_signed awm@linux
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Apr 28 05:31:01 2022 from 10.32.44.12
.MMM..:MMMMMMM awm@linux
MMMMMMMMMMMMMMMMMM OS: Red Hat Enterprise Linux 8.5 (Ootpa) x86_64
@aram just for information, i did a diff from both vault write… from powershell and cmd and the different can’t see a simple eye because is very similar the content, the different is powershell output on Windows UTF16 LE and from cmd output UTF8 Unix, that’s why the format from cmd is correct and linux can understand it. in any case thanks for the help
