Signed SSH certificates locked to a specific public key per user?

Hey,
I’m setting up a workflow using Signed SSH Certificates - SSH - Secrets Engines | Vault | HashiCorp Developer and it works very well. I’ve created roles per user where they can only sign certificates for themselves.

From what I understand the user can use or create ANY public SSH key and send it in to be signed. Is there some way for me to block this and limit to a specific predefined public key to be signed? Reason for this is that I only want to allow them to sign keys that originate in their yubikeys. Anyone have a solution for this?

Vault doesn’t support this at present, in any elegant way.

I suppose technically, since you’ve already got a model of one role per user - presumably with one policy per user - you could add allowed_parameters clauses to the policies, restricting the value of the public_key parameter to the sign API to specific values. You’d need your own custom automation to manage all those policy definitions.

1 Like

That was an excellent idea and it totally works, thank you!