The Database Secrets Engine covers the secrets rotation for several different database backends in a nice abstract way. The specific plugins are using the dedicated database plugin API which abstracts the password generation and other common details.
As part of a whitepaper for college I have tried to extend the functionality beyond databases. The usecase at hand is the secrets management on network devices (switches, routers, servers, …). It is a common issue in networking labs that simple user/password combinations are used for all devices. This is because of the high complexity to use one of the industry standard solutions like LDAP/RADIUS/TACACS for all the different vendors and models used in a typical lab.
I realized that the database plugins can be abstracted further to use other connection protocols.
For the paper I developed a plugin with the database plugin API that connects via SSH to target systems and configures accounts.
The concept is the exact same as for the normal database plugins except for the connection being SSH. The plugin is working and it is quite flexible as the commands are configurable (just as for Postgres and the likes).
I think that it would be useful to make this development available to the community. I could just publish the current state and “market” the SSH plugin as a database secrets engine. In my opinion it would be prudent to include this thought in the vault core though. This would basically mean to abstract the database plugin api and secrets engine to something more generic (something like “remote secrets rotation plugin”). The current database plugins would need minimal changes but the concept can be used easily for broader usecases.
I would appreciate your thoughts about my idea.
Thanks,
Tobi