One of my customers is running a Vault enterprise instance.
I am currently looking into using the ‘SSH CA’ functionality of Vault which is linked to an IDP, allowing me to get a short-lived signed public key which I can use for SSH.
Looking at the following resources, this seems possible:
So in my head, the following would need to happen:
Create a keypair on the YubiKey or other PKCS11 device
Retrieve the public key from yubikey/pkcs11
Trigger logon onto vault server with SSO
Get the PKCS11 public key signed by vaults SSH CA secrets engine
Add the signed public key and private key to the SSH agent
Connect to the git instance over SSH
Is there a way to instruct the vault cli to store/use keys on a PKCS11/YubiKey?
How would the vault command look like?
I’m always interested in ways to use my YubiKey with Vault. Have you found a method for signed SSH certificates?
I don’t think the Vault CLI tool can help out here, but you can accomplish this with curl by using the proper REST calls. You can use the API guide and/or the Vault CLI -output-curl-string argument to help piece together the commands.
For example, I use my YubiKey for Vault PKI logins that signs my SSH public key. It’s just a bash script and it’s by no means optimal nor finished.