SSH-CA credential-library host requirements and configuration details

louis · February 24, 2023, 3:06am

Now that the latest version of Boundary has been released and it included the support for vault-ssh-ca credential-libraries I wanted to ask for some clarification on how to implement this feature as it’s not clear via the tutorials or documentation.

My understanding is that once i have a Vault ssh-ca setup I need to configure my keys in vault that can then be retrieved by boundary once an ssh-ca key has been signed. That being said I’m assuming the “target” machine or “host” configured with boundary will also need the pub key in order to sign.

tmessi · February 24, 2023, 5:04pm

Hi,

Some of the details will depend on how you choose to configure vault. But the high level steps are:

Configure Vault
a. Enable/mount the ssh secret engine in vault
b. Generate or upload a CA certificate
c. Create a role
Configure Hosts
You will need to distribute the CA public key to each host. This can be read back from vault using the /ssh/public_key or /ssh/config/ca endpoints if you need to retrieve it again. The SSH service needs to be configured to trust the key. For example, assuming this key is added on the host to /etc/ssh/user_ca.pub,
you would need to add the following to the host’s sshd config:

TrustedUserCAKeys /etc/ssh/user_ca.pub

Configure Boundary
You will need to create a credential library that will issue the credentials
using the vault role created above. For example:

$ boundary credential-libraries create vault-ssh-certifcate \
  -credential-store-id=$CREDENTIAL_STORE_ID \
  -name=ssh-example \
  -username=foo \
  -vault-path=ssh/sign/foo \
  -key-type=ed25519 \
  -extension permit-pty

See the docs for more details on the options for the vault-ssh-certificate credential library.

Then you need an SSH target that uses this library as an injected application
credential source:

$ boundary targets create ssh \
  -address=myhost \
  -name=ssh-example \
  -scope-id=$PROJECT_SCOPE
$ boundary targets add-credential-sources \
  -id=$SSH_TARGET_ID \
  -injected-application-credential-source=$VAULT_SSH_CREDENTIAL_LIBRARY_ID

A more complete example/tutorial can be found here.

Let me know if you need additional details for any of the steps mentioned above.

louis · March 9, 2023, 5:59am

This helped me configure vault correctly and I think i have the boundary side configure as well except I get an error when i try to configure the target with the new credential source

Im still having trouble setting this up though and i noticed this in the command line utility
ssh Create a ssh-type target (HCP only)
Does this mean ssh ca is not supported for OSS setups? If so is there plans to make this available for on-prem installations?