gnosek/repro.sh

## repro.sh
#!/bin/bash

SSH_MOUNTPOINT="ssh-$RANDOM"

set -x

vault mount -path="$SSH_MOUNTPOINT" ssh
vault write "$SSH_MOUNTPOINT/config/ca" generate_signing_key=true
vault write "$SSH_MOUNTPOINT/roles/example" - <<EOF
{
  "ttl": "30m0s",
  "max_ttl": "768h0m0s",
  "key_type": "ca",
  "default_user": "a",
  "default_extensions": {
    "permit-X11-forwarding": "",
    "permit-agent-forwarding": "",
    "permit-port-forwarding": "",
    "permit-pty": "",
    "permit-user-rc": ""
  },
  "default_critical_options": {},
  "allowed_users": "a,b",
  "allow_bare_domains": false,
  "allow_host_certificates": false,
  "allow_subdomains": false,
  "allow_user_certificates": true,
  "allow_user_key_ids": false,
  "allowed_critical_options": "",
  "allowed_domains": "",
  "allowed_extensions": ""
}
EOF
vault policy-write user-b-only - <<EOF
{
    "path": {
        "$SSH_MOUNTPOINT/sign/example": {
            "allowed_parameters": {
                "valid_principals": ["b"],
                "public_key": []
            },
            "capabilities": ["update"]
        }
    }
}
EOF

RESTRICTED_TOKEN=$(vault token-create -format=json -display-name=restricted -policy=user-b-only | jq -r .auth.client_token)

CERT=`mktemp /tmp/cert.XXXXXX`
VAULT_TOKEN=$RESTRICTED_TOKEN vault write -format=json "$SSH_MOUNTPOINT/sign/example" public_key=@$HOME/.ssh/id_rsa.pub | jq -r .data.signed_key | head -1 > $CERT && ssh-keygen -Lf $CERT # | grep -A1 Principals:
VAULT_TOKEN=$RESTRICTED_TOKEN vault write -format=json "$SSH_MOUNTPOINT/sign/example" public_key=@$HOME/.ssh/id_rsa.pub valid_principals=b | jq -r .data.signed_key | head -1 > $CERT && ssh-keygen -Lf $CERT # | grep -A1 Principals:
rm -f $CERT

vault unmount "$SSH_MOUNTPOINT"
	#!/bin/bash

	SSH_MOUNTPOINT="ssh-$RANDOM"

	set -x

	vault mount -path="$SSH_MOUNTPOINT" ssh
	vault write "$SSH_MOUNTPOINT/config/ca" generate_signing_key=true
	vault write "$SSH_MOUNTPOINT/roles/example" - <<EOF
	{
	"ttl": "30m0s",
	"max_ttl": "768h0m0s",
	"key_type": "ca",
	"default_user": "a",
	"default_extensions": {
	"permit-X11-forwarding": "",
	"permit-agent-forwarding": "",
	"permit-port-forwarding": "",
	"permit-pty": "",
	"permit-user-rc": ""
	},
	"default_critical_options": {},
	"allowed_users": "a,b",
	"allow_bare_domains": false,
	"allow_host_certificates": false,
	"allow_subdomains": false,
	"allow_user_certificates": true,
	"allow_user_key_ids": false,
	"allowed_critical_options": "",
	"allowed_domains": "",
	"allowed_extensions": ""
	}
	EOF
	vault policy-write user-b-only - <<EOF
	{
	"path": {
	"$SSH_MOUNTPOINT/sign/example": {
	"allowed_parameters": {
	"valid_principals": ["b"],
	"public_key": []
	},
	"capabilities": ["update"]
	}
	}
	}
	EOF

	RESTRICTED_TOKEN=$(vault token-create -format=json -display-name=restricted -policy=user-b-only \| jq -r .auth.client_token)

	CERT=`mktemp /tmp/cert.XXXXXX`
	VAULT_TOKEN=$RESTRICTED_TOKEN vault write -format=json "$SSH_MOUNTPOINT/sign/example" public_key=@$HOME/.ssh/id_rsa.pub \| jq -r .data.signed_key \| head -1 > $CERT && ssh-keygen -Lf $CERT # \| grep -A1 Principals:
	VAULT_TOKEN=$RESTRICTED_TOKEN vault write -format=json "$SSH_MOUNTPOINT/sign/example" public_key=@$HOME/.ssh/id_rsa.pub valid_principals=b \| jq -r .data.signed_key \| head -1 > $CERT && ssh-keygen -Lf $CERT # \| grep -A1 Principals:
	rm -f $CERT

	vault unmount "$SSH_MOUNTPOINT"