Looking for Client config in Vault
As per the doc Managing SSH Access at Scale with HashiCorp Vault, vault login -method=userpass username=alice password=passw0rd used to login vault.
Questions:
Do we need to install vault in all clients ?
How do we enable connection between CA server and Client ?
I’m assuming “clients” means end users here. If you intend to use the Vault binary for authentication and routine interaction, then yes, it would need to be distributed to all your users.
Alternatively you can write your own script, binary, or web interface that simplifies the processes for your end users. Scripts and binaries will still need to be distributed to your end users where as a central web interface can be accessed via the browser. (Vault does have a rudimentary GUI component for SSH key signing but it’s clunky in my experience. You have to copy the contents of your public key into the web GUI instead of selecting a file to upload. Likewise the signed key results is the content which you’d have to copy and save to a file).
Clients (end users) need to be granted permission to sign their public SSH key for the given role you define. The ability to sign a key with a role associated with a given SSH engine mount is the connection between the two.
Side note: SSH roles can only be restricted via IP address. If you want or need stronger separation then I believe you’ll need to create additional SSH engine mounts.