How to add multiple users

itstjbala · July 15, 2020, 10:55am

Hi team,
Hope you’re doing great.
I’ve a little doubt regarding Hashicorp Vault.

Consider - We have 500 servers and we have 30 PAs . We wanted to make sure the every SSH key of all these 30 PA’s to be stored in this vault . Vault to push the keys back to server - as there may be cases that PA’s get their SSH key changed and also PA’s move out of the company or move out of the project - then we need to keep the Servers updated with the latest keys on the server.

Can this be done?

If yes can you please let me know what it can be done?

Waiting for the reply

mikegreen · July 15, 2020, 10:26pm

Have you read thru the SSH CA functionality? It should do what you’re looking to do - and 500 servers + 30 (what’s a PA?) would be a small load and entirely doable with a small Vault cluster.

itstjbala · July 16, 2020, 3:45am

@mikegreen actually can i pull the usernames and passwords from external common database and push it to vault server.Can we do this ?

mikegreen · July 16, 2020, 3:45pm

You can do pretty much anything with the Vault API to load/update/enter data.

I think pulling plaintext passwords from an external system and loading them into Vault is a bit odd from a security practice, but doable for sure.

You should read up on this - where you can use userpass and SSH CA together:

gist.github.com

https://gist.github.com/kawsark/587f40541881cea58fbaaf07bb82b1be

Vault-ssh-ca-README.md

# SSH CA use-case with Vault

In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.

## Prerequisites

* This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
* The client system must be able to reach the Vault server and the OpenSSH server.
* We will refer to these systems respectively as:
  * VAULT_SERVER

This file has been truncated. show original

And also maybe creating a single entity for a user, which consists of the user/pass and other auth methods:

Topic		Replies	Views
Hashicorp Vault for certificate signed ssh Vault vault	0	37	September 28, 2024
Aggregate multi APIs secrets vault Vault vault	0	288	August 31, 2022
Use Vault k/v secrets to retrieve ssh keys and connect to a server Vault	4	893	August 18, 2021
Signed SSH certificates locked to a specific public key per user? Vault	2	280	March 11, 2023
GitHub SSH-key based authentication with Hashicorp vault Vault vault	0	469	April 20, 2021

How to add multiple users

Related topics