Automate signing SSH host- and client certificates for a more secure and scalable infrastructure.
๐ญ Sign SSH host public keys
๐จโ๐ป Sign SSH user public keys
๐ Read CA from a given Vault ssh mount
๐ Authenticate against Vault using AppRole, (explicit) token or implicit auth
๐ป Both your workstation's CLI and your servers up in the cloud are 1st class citizens
โฐ Automatically renews certificates based on its lifetime
๐ญ Provides metrics to increase observability for robust automation
SSH client certificates make sense
- to avoid the chore of synchronizing
authorized_keys
files across servers - to avoid theft of public key pairs
SSH host certificates help prevent MitM attacks for clients that have not established trust yet for a server
Both client and host certificates allow for efficient scaling regarding the number of clients and servers.
vault-ssh-cli, leveraging its automation and observability capabilities, allows using SSH certificates while obeying security best practices such as short-lived certificates and timely re-generation.
Pre-compiled binaries can be found at the releases section. They are signed using a cryptographic signature made by signify using the following public key:
untrusted comment: signify public key
RWSFxNuvQMx07H1IC6sUxJvlsdtfDlY39EdoHMG/ZpivtOmp8sJ3DMEg
To verify the cryptographic signature, run
$ signify -V -p /path/to/downloaded/pubkey -m checksum.sha256
$ sha256sum -c checksum.sha256
$ go install github.com/soerenschneider/vault-ssh-cli@latest
vault-ssh-cli
is suited to be scheduled continuously by an external actor such as systemd or (Kubernetes) cron jobs and only renew a certificate after its expiration period has passed a certain threshold.
โ Dumping metrics to disk to be picked up by Prometheus node_exporter
โ Pushing metrics to Prometheus Pushgateway
All metrics are exposed using the prefix ssh_key_signer
Name | Type | Description |
---|---|---|
success_bool | Gauge | Whether the tool ran successful |
cert_expiry_seconds | Gauge | The date after the cert is not valid anymore |
cert_lifetime_seconds_total | Gauge | The total number of seconds this certificate is valid |
cert_lifetime_percent | Gauge | The passed lifetime of the certificate in percent |
run_timestamp_seconds | Gauge | The date after the cert is not valid anymore |
Vault needs to be configured with a SSH secret engine, see this TF module.
https://man.openbsd.org/sshd_config#HostCertificate
https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates#client-side-host-verification