How to Configuring Vault's SSH-CA?

My SSH Login is not working so please help me who know about it.

Can you answer the following questions?

  • Why do you need Vault SSH-CA?
  • What do you want to do with Vault?

Can you clarify if you are trying to log into Vault using a certificate instead of a user and password?

1 Like

Hi, can you please expain what you are trying to achieve here?

i want to login to with SSH Certificate…

i want to configuring vault SSH-CA for login with certified key…not for un certified…

In order to log in to vault with a certificate, you will need to configure Vault with the TLS auth method. Details of how to configure this can be found here: TLS Certificates - Auth Methods | Vault by HashiCorp

Hope this helps

for this i follow this document

According this document every command is sucessfully run but last one, i mean to say login with Certified key is not working

so please check this document then guide me

That is the wrong document. The document is for signing SSH keys using Vault. You are trying to log into Vault using an SSH certificate.

Please follow the steps to enable Vault login by certificate.

In your Vault instance, you will need to run:

vault auth enable cert

Please follow the steps on this document instead: HashiCorp Vault TLS Certificate Auth Samples · GitHub

So that is something different. In Vault, Auth methods are what we use to authenticate users and applications to Vault.

What you have posted is for the ssh secrets engine which is responsible for brokering SSH access to virtual machines. I think its probably wise to start with the interactive tutorial on our learn site: SSH Secrets Engine: One-Time SSH Password | Vault - HashiCorp Learn.

The repo you posted is a great example of a specific scenario and will more than likely be more vaulable to you once you have gone through the learn guide.

i think you r not understand what i want to say so i sent a diagram about that what i want to do???

so to clarify, you want to log into the managed host using Vault as the ssh broker?

yes in diagram clearly visible what i want to do???

for the workflow descibed above, you need the SSh secrets engine configured correctly. As I mentioned before, i reccomend going through the learn guide I posted above to help you understand all of the required configurations. posting the link again for reference: SSH Secrets Engine: One-Time SSH Password | Vault - HashiCorp Learn

Please follow step-by-step the guide (SSH Secrets Engine: One-Time SSH Password | Vault - HashiCorp Learn) posted. It is a document that will tell you how to set up the SSH secrets engine.

We are trying to help as much as we can but do walk through the document first.

1 Like

please guide me that what’s is it about???

i want to Sign-in with signed public key and private key and validate you can login…

if sign-in with unsigned key, you should get the output Permission denied (publickey). error:

Can you post the following files? If they are not correct, the signed key may not be allowed.

  • user-policy.hcl
  • signer-clientrole.json
  • /etc/ssh/sshd_config