How to Configuring Vault's SSH-CA?

hafizzainansari777 · February 24, 2021, 4:37pm

My SSH Login is not working so please help me who know about it.

joatmon08 · February 24, 2021, 5:42pm

Can you answer the following questions?

Why do you need Vault SSH-CA?
What do you want to do with Vault?

joatmon08 · February 24, 2021, 5:44pm

Can you clarify if you are trying to log into Vault using a certificate instead of a user and password?

DevOpsRob · February 24, 2021, 5:47pm

Hi, can you please expain what you are trying to achieve here?

hafizzainansari777 · February 24, 2021, 5:50pm

i want to login to with SSH Certificate…

hafizzainansari777 · February 24, 2021, 5:53pm

i want to configuring vault SSH-CA for login with certified key…not for un certified…

DevOpsRob · February 24, 2021, 5:54pm

In order to log in to vault with a certificate, you will need to configure Vault with the TLS auth method. Details of how to configure this can be found here: TLS Certificates - Auth Methods | Vault by HashiCorp

Hope this helps

hafizzainansari777 · February 24, 2021, 5:56pm

for this i follow this document

gist.github.com

https://gist.github.com/kawsark/587f40541881cea58fbaaf07bb82b1be

Vault-ssh-ca-README.md

# SSH CA use-case with Vault

In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.

## Prerequisites

* This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
* The client system must be able to reach the Vault server and the OpenSSH server.
* We will refer to these systems respectively as:
  * VAULT_SERVER

This file has been truncated. show original

According this document every command is sucessfully run but last one, i mean to say login with Certified key is not working

hafizzainansari777 · February 24, 2021, 5:57pm

so please check this document then guide me

joatmon08 · February 24, 2021, 5:59pm

That is the wrong document. The document is for signing SSH keys using Vault. You are trying to log into Vault using an SSH certificate.

Please follow the steps to enable Vault login by certificate.

In your Vault instance, you will need to run:

vault auth enable cert

Please follow the steps on this document instead: HashiCorp Vault TLS Certificate Auth Samples · GitHub

DevOpsRob · February 24, 2021, 6:04pm

So that is something different. In Vault, Auth methods are what we use to authenticate users and applications to Vault.

What you have posted is for the ssh secrets engine which is responsible for brokering SSH access to virtual machines. I think its probably wise to start with the interactive tutorial on our learn site: SSH Secrets Engine: One-Time SSH Password | Vault - HashiCorp Learn.

The repo you posted is a great example of a specific scenario and will more than likely be more vaulable to you once you have gone through the learn guide.

hafizzainansari777 · February 24, 2021, 6:06pm

i think you r not understand what i want to say so i sent a diagram about that what i want to do???

DevOpsRob · February 24, 2021, 6:08pm

so to clarify, you want to log into the managed host using Vault as the ssh broker?

hafizzainansari777 · February 24, 2021, 6:12pm

yes in diagram clearly visible what i want to do???

DevOpsRob · February 24, 2021, 6:18pm

for the workflow descibed above, you need the SSh secrets engine configured correctly. As I mentioned before, i reccomend going through the learn guide I posted above to help you understand all of the required configurations. posting the link again for reference: SSH Secrets Engine: One-Time SSH Password | Vault - HashiCorp Learn

joatmon08 · February 24, 2021, 6:22pm

Please follow step-by-step the guide (SSH Secrets Engine: One-Time SSH Password | Vault - HashiCorp Learn) posted. It is a document that will tell you how to set up the SSH secrets engine.

We are trying to help as much as we can but do walk through the document first.

hafizzainansari777 · February 24, 2021, 6:30pm

gist.github.com

https://gist.github.com/kawsark/587f40541881cea58fbaaf07bb82b1be

Vault-ssh-ca-README.md

# SSH CA use-case with Vault

In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.

## Prerequisites

* This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
* The client system must be able to reach the Vault server and the OpenSSH server.
* We will refer to these systems respectively as:
  * VAULT_SERVER

This file has been truncated. show original

please guide me that what’s is it about???

hafizzainansari777 · February 24, 2021, 6:46pm

i want to Sign-in with signed public key and private key and validate you can login…

hafizzainansari777 · February 24, 2021, 6:47pm

if sign-in with unsigned key, you should get the output Permission denied (publickey). error:

joatmon08 · February 24, 2021, 6:54pm

Can you post the following files? If they are not correct, the signed key may not be allowed.

user-policy.hcl
signer-clientrole.json
/etc/ssh/sshd_config

Topic		Replies	Views
Using Vault as an SSH certificate authority asks for password Vault	9	522	June 6, 2023
Hashicorp Vault for certificate signed ssh Vault vault	0	60	September 28, 2024
Issues with TLS configuration for Vault Vault	4	3542	August 21, 2023
Can't authenticate with Certificate method - client certificate must be supplied Vault	2	4963	April 29, 2021
Vault startup fails while I use my certificate Vault	3	1055	July 23, 2023

How to Configuring Vault's SSH-CA?

Related topics