Signed SSH certificates locked to a specific public key per user?

ahnberg · March 7, 2023, 11:53pm

Hey,
I’m setting up a workflow using Signed SSH Certificates - SSH - Secrets Engines | Vault | HashiCorp Developer and it works very well. I’ve created roles per user where they can only sign certificates for themselves.

From what I understand the user can use or create ANY public SSH key and send it in to be signed. Is there some way for me to block this and limit to a specific predefined public key to be signed? Reason for this is that I only want to allow them to sign keys that originate in their yubikeys. Anyone have a solution for this?

maxb · March 10, 2023, 10:14pm

Vault doesn’t support this at present, in any elegant way.

I suppose technically, since you’ve already got a model of one role per user - presumably with one policy per user - you could add allowed_parameters clauses to the policies, restricting the value of the public_key parameter to the sign API to specific values. You’d need your own custom automation to manage all those policy definitions.

ahnberg · March 11, 2023, 12:29pm

That was an excellent idea and it totally works, thank you!

Topic		Replies	Views
Signed SSH Certificates Vault vault	1	319	February 10, 2021
Certificates Signed by a Public CA Vault	2	388	December 2, 2021
Hashicorp Vault for certificate signed ssh Vault vault	0	30	September 28, 2024
Vault SSH signed key from PKCS11 or Yubikey? Vault vault	3	1622	August 4, 2021
How to add multiple users Vault	3	1333	July 16, 2020

Signed SSH certificates locked to a specific public key per user?

Related topics