Hi,
I am about to implement Vault’s SSH certificate signature tutorial and am very excited:
I have a local setup - a few Ubuntu machines running a variety of docker containers instantiated via docker-compose.
We currently share a single local service account to the Linux machines, and would like to make sure that we can easily revoke access to the machines as needed.
I have a couple questions:
1- Revoking logins
Once I (or another user) has created client certificates, how do I revoke those certs?
Can just I revoke the cert in Vault? Do I need to do anything on the Ubuntu hosts?
2- Provisioning accounts and credentials
Each one of the users of the hosts uses the same local Linux user account on the host? If each user creates their own cert will they all be logging in to the same user account?
Do I need to provision distinct user accounts for each user that sign their own cert through Vault?
Generally you never do. Certificate lifetimes should generally be short enough that you never need to revoke them. (Users just keep coming back to Vault to get new ones as needed.)
The only means to revoke them is to refer to the OpenSSH documentation about Key Revocation Lists, which requires updating a file on every destination server that needs to know about the revocation.
Generally, you configure Vault so each user can only get a certificate for their own username, and they log into hosts using their own unique username.
Other configurations are possible, though - you can configure Vault so they can all get certificates for the same user if you really want to - but such a setup may make it difficult to tell who is actually logging in.