Created
March 24, 2020 16:09
-
-
Save kawsark/a9443692a9e4a7b1c7df253995ce864c to your computer and use it in GitHub Desktop.
Steps to setup Vault SSH CA secrets engine for use with Ansible
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1. (Optional) Disable SSH and Key/Value secrets engine if they existed. | |
| # NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH | |
| export VAULT_TOKEN=<Admin-or-Root-key> | |
| vault secrets disable ssh | |
| vault secrets disable kv | |
| # 2. Enable SSH secrets engine (Client signer role) and generate a CA | |
| vault secrets enable -path=ssh ssh | |
| vault write -format=json ssh/config/ca generate_signing_key=true | jq -r '.data.public_key' > ./trusted-user-ca-keys.pem | |
| # 3. Update the sshd_config file with the CA | |
| sudo cp ./trusted-user-ca-keys.pem /etc/ssh/trusted-user-ca-keys.pem | |
| echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" | sudo tee --append /etc/ssh/sshd_config | |
| sudo systemctl restart sshd | |
| # 4. Create a SSH Client key signing Role for Ansible with 30 mins validity period | |
| vault write ssh/roles/ansible -<<EOF | |
| { | |
| "allow_user_certificates": true, | |
| "allowed_users": "*", | |
| "default_extensions": [ | |
| { | |
| "permit-pty": "" | |
| } ], | |
| "key_type": "ca", | |
| "default_user": "root", | |
| "ttl": "30m0s" | |
| } | |
| EOF | |
| # 5. Enable KV V2 secrets engine and upload a public/private key pair for Ansible | |
| vault secrets enable -version=2 kv | |
| rm -f ansible-key | |
| ssh-keygen -t rsa -b 4096 -f ansible-key -N "" | |
| vault write kv/data/ansible ssh-private-key="$(cat ansible-key)" ssh-public-key="$(cat ansible-key.pub)" ssh-username=root | |
| # 6. Create a policy and Vault token that allows a public key to be signed | |
| echo ' | |
| path "ssh/sign/ansible" { capabilities = ["create", "update"] } | |
| path "kv/*" { capabilities = ["read"] } | |
| ' | vault policy write ansible-ssh - | |
| vault policy list # Should see ansible-ssh policy | |
| vault secrets list # Should see ssh and kv secrets engine | |
| vault token create -policy=ansible-ssh -period=24h | |
| # 7. Client key signing and performing SSH | |
| export VAULT_TOKEN=<use-token-from-before> | |
| # Preferred method - get public/private key in Vault then sign it | |
| vault write -field=signed_key ssh/sign/ansible public_key="$(vault kv get -field=ssh-public-key kv/ansible)" > signed-cert.pub.signed | |
| ssh -i signed-cert.pub.signed -i "$(vault kv get -field=ssh-private-key kv/ansible)" root@managed-host | |
| # Alternatively, sign a local public/private key pair | |
| vault write -field=signed_key ssh/sign/ansible [email protected] > signed-cert.pub.signed | |
| ssh -i signed-cert.pub.signed -i ansible-key root@managed-host | |
| # 8. Rotate Ansible key: upload new public / private key pair | |
| rm -f ansible-key | |
| ssh-keygen -t rsa -b 4096 -f ansible-key -N "" | |
| vault write kv/data/ansible ssh-private-key="$(cat ansible-key)" ssh-public-key="$(cat ansible-key.pub)" ssh-username=root |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment