Giter Club home page Giter Club logo

devopsdays-denver-2018's Introduction

Vault SSH for DevOpsDays

Setup

Available configurations for OTP or CA roles: https://www.vaultproject.io/api/secret/ssh/index.html

First, cleanup old items from prior testing

  > ./cleanup.sh

Run some setup scripts

  > ./setup-server.sh
  > . ./setup-env.sh

Show the server is up

  > vault status

Enable the ssh Secret engine backend (explain Vault engines)

  > vault secrets enable ssh

SSH OTP

Bring up a client node (show Docker file, explain config)

  > ./otp-client.sh

Try to ssh to show we can't

  > ssh ubuntu@localhost -p 2223

Create a Vault role for the ubuntu user (explain Vault roles)

  > vault write ssh/roles/otp_role\
    key_type=otp\
    default_user=ubuntu\
    cidr_list=172.18.0.0/16

Get the OTP

  > vault write ssh/creds/otp_role ip=172.18.0.3

ssh into the client

  > docker port otp-client
  > ssh ubuntu@localhost -p 2223

Enter the password from the key field in the write response above

Take a look at the PAM config

  > cat /etc/pam.d/sshd

Exit out and try the password again and we'll see you can't login. OTP baby!

SSH CA

Enable the Vault Certificate Authority

  > vault write ssh/config/ca generate_signing_key=true

You can also specify your own private and public keys if you'd like

Public key is accessible via the /public_key endpoint

  > curl http://localhost:8200/v1/ssh/public_key

Add the CA key to a client

Typically the CA key would be added via some config management tool or added via AWS cloud init, baked into the image/AMI, etc. We are gonna copy the file into a Vagrant VM.

  > cd devopsdays-denver-2018/scripts/
  > vault read -field=public_key ssh/config/ca > trusted-user-ca-keys.pem

Now we'll bring up the CA client

  > ./ca-client.sh

Test that we can't actually ssh to the node via the ubuntu user

  > ssh ubuntu@localhost -p 2222

Create a role

  > vault write ssh/roles/user-role @roles/user-role.json
  > vault read ssh/roles/user-role

Sign the local ssh key

We'll just write the signed key to a file

  > vault write -field=signed_key ssh/sign/user-role public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub
  > chmod 600 ~/.ssh/id_rsa-cert.pub

Login

SSH into the instance with our new signed key

  > ssh ubuntu@localhost -p <port>

devopsdays-denver-2018's People

Contributors

errygg avatar

Stargazers

avatar avatar

Watchers

avatar avatar

Forkers

guddukhan1987 biofool

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.