Connect to server linux using Hashicorp Vault SSH client signed from windows client

Hi community

We are enable secret engine ssh to sign certificate ssh, and works fine from linux-2-linux
now we download the vault binary for windows and recreate the same steps to login using similar options from windows but still saying pubkey denied

the steps are:

download windows binary vault from site, extracted and

copied vault.exe in c:\Windows

open powershell window and typed

cd C:\Users\MyUser

ssh-keygen -f keypairs -t rsa -b 4096

mv keypairs * .ssh/

$env:VAULT_ADDR=“https://vault.example.com
env:VAULT_TOKEN=(vault login -token-only -method=ldap -path=ldap username=myADuser)
vault write -field=signed_key ssh-client-signer/sign/devops public_key=@./.ssh/keypairs .pub > ./.ssh/keypairs -signed.pub

notepad C:\Users\MyUser.ssh\config

IdentityFile C:\Users\MyUser.ssh\keypairs

Host *
CertificateFile C:\Users\MyUser.ssh\keypairs-signed.pub
IdentityFile C:\Users\MyUser.ssh\keypairs
StrictHostKeyChecking no

everything was ok except this 2 things

.\.ssh\keypairs-signed.pub:1: invalid key: invalid format

and ssh devops@serverlinux.example.com
Permission denied (publickey) i guess because the forma is invalid so… how can I fix this?

everything in internet explain how login using public key but no one explain or at least can’t found it yet after hours of reasearch how login using certificate signed from windows client to linux

I’m going to assume this is a shortcut for pasting as this isn’t going to give you the token. Login then run vault print token in-line to get you the token.

Did you miss a “” in the “MyUser.ssh”? Or is that a copy-n-paste issue?

What does this file look like? How did you generate it?
Did you add the vault ssh key into the /etc/sshd/ configuration file?

Hi @aram
thanks for answering
1- yes that link works and vault print token conferm i received.
2- maybe was error copy pasting the i fmiss “” between …MyUser\ssh… not MyUser.ssh
3- i generated following those steps from powershell.
i paste here a screenshot to can verify the steps

no screenshot posted.

@aram from linux we can login using this way but we need to prepare a simple script for windows user to can login directly to use session with this certificate signed, so is just to fix the windows issue as client

The only thing I can think of is that PS is doing something weird with the \ and / and escaping something it shouldn’t. I did it in CMD and it worked just fine.

The vault write command seems incorrect but no error so it maybe just a screen grab thing.
I don’t see you writing the key back? but that wouldn’t cause the error in the signed.pub … here are the steps I used:

CMD> ssh-keygen -t rsa -C "aram@windows" -f "id_rsa_signed"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_signed.
Your public key has been saved in id_rsa_signed.pub.
The key fingerprint is:
SHA256:RtzWwwB5Rd+rFzG1gQ/6YznvNke4cUK+dHYeerh1gN8 aram@windows
The key's randomart image is:
+---[RSA 3072]----+
|        .o.oo o..|
..
|                 |
+----[SHA256]-----+

> vault write ssh-client-signer/sign/linux-access public_key=@id_rsa_signed.pub
Key              Value
---              -----
serial_number    6c4fc6ac71d5f81b
signed_key       ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgF3G+zEd0jOvpCqPCpj3d6...
/qPPYaVd9PjpYH0C6Zng7S8r2NZaXSv4BVHKqhXcLxSw/WcBJZxu+GUwikHkJ2mw==

CMD> vault write -field=signed_key ssh-client-signer/sign/linux-access public_key=@id_rsa_signed.pub > signed-cert.pub

CMD>ssh-keygen -Lf signed-cert.pub
signed-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:RtzWwwB5Rd+rFzG1gQ/5XqnVnke4cUK+dHYeerh1gN8
        Signing CA: RSA SHA256:4EFxgjjreovjohqY+60S6ZDrmTeodT77Rvr4L89ADec (using rsa-sha2-256)
        Key ID: "vault-root-46dcd6c3007945dfab1731b5810ff95ea9d59e47b87142be74761e7ab87580df"
        Serial: 8386717593444493959
        Valid: from 2022-04-28T05:25:46 to 2022-04-28T05:56:16
        Principals:
                ubuntu
        Critical Options: (none)
        Extensions:
                permit-pty

CMD> ssh -i signed-cert.pub -i id_rsa_signed awm@linux
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Thu Apr 28 05:31:01 2022 from 10.32.44.12
           .MMM..:MMMMMMM                 awm@linux
          MMMMMMMMMMMMMMMMMM              OS: Red Hat Enterprise Linux 8.5 (Ootpa) x86_64

yup… i can confirm… the issue is powershell with CMD works… never think on that.
thanks @aram

@aram just for information, i did a diff from both vault write… from powershell and cmd and the different can’t see a simple eye because is very similar the content, the different is powershell output on Windows UTF16 LE and from cmd output UTF8 Unix, that’s why the format from cmd is correct and linux can understand it. in any case thanks for the help

1 Like