Now that the latest version of Boundary has been released and it included the support for vault-ssh-ca credential-libraries I wanted to ask for some clarification on how to implement this feature as it’s not clear via the tutorials or documentation.
My understanding is that once i have a Vault ssh-ca setup I need to configure my keys in vault that can then be retrieved by boundary once an ssh-ca key has been signed. That being said I’m assuming the “target” machine or “host” configured with boundary will also need the pub key in order to sign.
Configure Hosts
You will need to distribute the CA public key to each host. This can be read back from vault using the /ssh/public_key or /ssh/config/ca endpoints if you need to retrieve it again. The SSH service needs to be configured to trust the key. For example, assuming this key is added on the host to /etc/ssh/user_ca.pub,
you would need to add the following to the host’s sshd config:
TrustedUserCAKeys /etc/ssh/user_ca.pub
Configure Boundary
You will need to create a credential library that will issue the credentials
using the vault role created above. For example:
This helped me configure vault correctly and I think i have the boundary side configure as well except I get an error when i try to configure the target with the new credential source
Im still having trouble setting this up though and i noticed this in the command line utility
ssh Create a ssh-type target (HCP only)
Does this mean ssh ca is not supported for OSS setups? If so is there plans to make this available for on-prem installations?