Hi All!
I’ve recently been trying out Hashicorp Vault and finding it very useful.
I’m trying to setup signed ssh certificates to login to my remote hosts/servers, as per this guide:
I sent the public .pem file of Vault to the target host that I want to login to and pointed to it in
/etc/ssh/sshd_config
using
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
I generated a public private key pair on my client. I got the public key signed by Vault on my Vault server using that guide and sent it back to the client.
I am able to ssh into the target host fine with either password or private key ssh. What I am unable to get working is ssh with the signed public key and also to force it to use only that method.
Here are the commands I have tried adding to the host (Debian) /etc/ssh/sshd_config settings file:
usePAM no
PasswordAuthentication no
ChallengeResponseAuthentication no
PubKeyAuthentication no
Here is the ssh command I’m using:
ssh -v -o “IdentityOnly yes” -o CertificateFile=“/path/to/signedcert.pub” -i “/path/to/privatekey” user@IP
The -v outputs indicate that it tries the various options but ultimately the signed certificate doesn’t work and it gets back to password authentication (which is also unclear to me since I thought my commands in sshd_config would be enough to disable that…). I am running
sudo systemctl restart sshd, when making these changes on the target host.
Any advice or suggestions would be very much appreciated on this as I’m feeling quite stuck but probably missing something obvious…
Thanks for your help!