Signed SSH Certificates

alain.gaspard · February 10, 2021, 3:11pm

for several users, shoud we create a role per user?

Thank you for your answers

ixe013 · February 10, 2021, 6:12pm

I’m about to walk that path Alain… So this might be wrong but here is how I see it.

Create a role per use case or so. Should be a handful at most.
For a given role, say “linux_admin”, create a Vault policy and assign that policy to whoever qualifies as a “linux_admin” to you. That policy allows whoever has it to call the ssh-client-signer/sign/my-role endpoint
For example, if your Linux administrator logs in Vault through the LDAP mount backend, assign the “can_issue_ssh_cert” to them via LDAP group membership.

Topic		Replies	Views
Signed SSH certificates locked to a specific public key per user? Vault	2	280	March 11, 2023
Vault SSH CA setup Vault	0	286	November 20, 2020
SSH Signed Certificates with host principal validation Vault	9	2530	June 24, 2022
Vault SSH OTP passwords Vault	20	719	August 6, 2023
Vault ssh policy to list only user's role Vault	2	794	October 19, 2023