junaid18183/vault_ssh_otp_demo.sh

## vault_ssh_otp_demo.sh
#!/bin/bash
download_vault(){
wget https://releases.hashicorp.com/vault/0.9.1/vault_0.9.1_linux_amd64.zip?_ga=2.165144251.566422628.1516357846-2059600638.1516357846 -O vault_0.9.1_linux_amd64.zip
apt-get install -y zip
unzip vault_0.9.1_linux_amd64.zip
mv vault /usr/local/bin/
rm vault_0.9.1_linux_amd64.zip
}
########################
download_ssh_helper(){
wget --no-check-cert https://releases.hashicorp.com/vault-ssh-helper/0.1.3/vault-ssh-helper_0.1.3_linux_amd64.zip
unzip vault-ssh-helper_0.1.3_linux_amd64.zip
mv vault-ssh-helper /usr/local/bin/
rm vault-ssh-helper_0.1.3_linux_amd64.zip

mkdir /etc/vault-ssh-helper.d

cat <<- EOF > /etc/vault-ssh-helper.d/config.hcl
vault_addr = "http://127.0.0.1:8200"
ssh_mount_point = "ssh"
tls_skip_verify = false
allowed_roles = "*"
EOF

echo "Setting up the sshd_config file"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
sed -i 's|ChallengeResponseAuthentication no|ChallengeResponseAuthentication yes|g' /etc/ssh/sshd_config
sed -i 's|UsePAM no|UsePAM yes|g' /etc/ssh/sshd_config
sed -i 's|PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
echo "verify below o/p should be yes/yes/no"
grep ChallengeResponseAuthentication /etc/ssh/sshd_config | grep -v "#"
grep UsePAM /etc/ssh/sshd_config | grep -v "#"
grep PasswordAuthenticatio /etc/ssh/sshd_config | grep -v "#"

echo "Setting up the /etc/pam.d/sshd file"
cp /etc/pam.d/sshd /etc/pam.d/sshd.orig
rm /etc/pam.d/sshd
cat <<- EOF > /etc/pam.d/sshd
#@include common-auth
auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl
auth optional pam_unix.so not_set_pass use_first_pass nodelay
EOF

service sshd restart

}

########################
create_vault_config_file(){
cat <<- EOF > vault-server.hcl
backend "file" {
path = "/opt/vault-file-system"
}

listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
disable_mlock = false
EOF
}
########################
start_vault(){
#PID=$(ps aux | grep vault | grep -v grep | awk '{print $2}')
#kill -9 $PID
vault server -config=vault-server.hcl -log-level=debug >> /var/log/vault.log 2>&1 &
echo "Vault server started. Logs are at /var/log/vault.log. Path of vault file is /opt/vault-file-system"
}
########################
vault_init (){
export VAULT_ADDR=http://127.0.0.1:8200
vault init | tee tokens.txt
ROOT_TOKEN=$(grep "Initial Root Token" tokens.txt | awk -F: '{print $2}')
export VAULT_TOKEN=$ROOT_TOKEN
for i in 1 2 3; do
    T=$(grep "Unseal Key $i" tokens.txt |awk -F: '{print $2}')
    vault unseal $T
done
}
########################################################
echo "download_vault"
download_vault
sleep 3
echo "download_ssh_helper"
download_ssh_helper
sleep 3
echo "create_vault_config_file"
create_vault_config_file
sleep 3
echo "start_vault"
start_vault
sleep 3
echo "vault_init"
vault_init
sleep 3
vault mount ssh
vault write ssh/roles/otp_key_role key_type=otp default_user=root cidr_list=0.0.0.0/0
vault read ssh/roles/otp_key_role
vault write ssh/creds/otp_key_role ip=127.0.0.1
echo "Now try to login to 127.0.0.1 using root with the OTP listed above"
sleep 5
echo "You can take it ,one step further and automate the above task"
echo "use below command to ssh to localhost. The OTP will be listed in the prompt. The entering password is also avoided if we install sshpass utility"
echo "export VAULT_ADDR=http://127.0.0.1:8200;export VAULT_TOKEN=$ROOT_TOKEN"
echo "vault ssh -role otp_key_role root@127.0.0.1"
	#!/bin/bash
	download_vault(){
	wget https://releases.hashicorp.com/vault/0.9.1/vault_0.9.1_linux_amd64.zip?_ga=2.165144251.566422628.1516357846-2059600638.1516357846 -O vault_0.9.1_linux_amd64.zip
	apt-get install -y zip
	unzip vault_0.9.1_linux_amd64.zip
	mv vault /usr/local/bin/
	rm vault_0.9.1_linux_amd64.zip
	}
	########################
	download_ssh_helper(){
	wget --no-check-cert https://releases.hashicorp.com/vault-ssh-helper/0.1.3/vault-ssh-helper_0.1.3_linux_amd64.zip
	unzip vault-ssh-helper_0.1.3_linux_amd64.zip
	mv vault-ssh-helper /usr/local/bin/
	rm vault-ssh-helper_0.1.3_linux_amd64.zip

	mkdir /etc/vault-ssh-helper.d

	cat <<- EOF > /etc/vault-ssh-helper.d/config.hcl
	vault_addr = "http://127.0.0.1:8200"
	ssh_mount_point = "ssh"
	tls_skip_verify = false
	allowed_roles = "*"
	EOF

	echo "Setting up the sshd_config file"
	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
	sed -i 's\|ChallengeResponseAuthentication no\|ChallengeResponseAuthentication yes\|g' /etc/ssh/sshd_config
	sed -i 's\|UsePAM no\|UsePAM yes\|g' /etc/ssh/sshd_config
	sed -i 's\|PasswordAuthentication yes\|PasswordAuthentication no\|g' /etc/ssh/sshd_config
	echo "verify below o/p should be yes/yes/no"
	grep ChallengeResponseAuthentication /etc/ssh/sshd_config \| grep -v "#"
	grep UsePAM /etc/ssh/sshd_config \| grep -v "#"
	grep PasswordAuthenticatio /etc/ssh/sshd_config \| grep -v "#"

	echo "Setting up the /etc/pam.d/sshd file"
	cp /etc/pam.d/sshd /etc/pam.d/sshd.orig
	rm /etc/pam.d/sshd
	cat <<- EOF > /etc/pam.d/sshd
	#@include common-auth
	auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl
	auth optional pam_unix.so not_set_pass use_first_pass nodelay
	EOF

	service sshd restart

	}

	########################
	create_vault_config_file(){
	cat <<- EOF > vault-server.hcl
	backend "file" {
	path = "/opt/vault-file-system"
	}

	listener "tcp" {
	address = "0.0.0.0:8200"
	tls_disable = 1
	}
	disable_mlock = false
	EOF
	}
	########################
	start_vault(){
	#PID=$(ps aux \| grep vault \| grep -v grep \| awk '{print $2}')
	#kill -9 $PID
	vault server -config=vault-server.hcl -log-level=debug >> /var/log/vault.log 2>&1 &
	echo "Vault server started. Logs are at /var/log/vault.log. Path of vault file is /opt/vault-file-system"
	}
	########################
	vault_init (){
	export VAULT_ADDR=http://127.0.0.1:8200
	vault init \| tee tokens.txt
	ROOT_TOKEN=$(grep "Initial Root Token" tokens.txt \| awk -F: '{print $2}')
	export VAULT_TOKEN=$ROOT_TOKEN
	for i in 1 2 3; do
	T=$(grep "Unseal Key $i" tokens.txt \|awk -F: '{print $2}')
	vault unseal $T
	done
	}
	########################################################
	echo "download_vault"
	download_vault
	sleep 3
	echo "download_ssh_helper"
	download_ssh_helper
	sleep 3
	echo "create_vault_config_file"
	create_vault_config_file
	sleep 3
	echo "start_vault"
	start_vault
	sleep 3
	echo "vault_init"
	vault_init
	sleep 3
	vault mount ssh
	vault write ssh/roles/otp_key_role key_type=otp default_user=root cidr_list=0.0.0.0/0
	vault read ssh/roles/otp_key_role
	vault write ssh/creds/otp_key_role ip=127.0.0.1
	echo "Now try to login to 127.0.0.1 using root with the OTP listed above"
	sleep 5
	echo "You can take it ,one step further and automate the above task"
	echo "use below command to ssh to localhost. The OTP will be listed in the prompt. The entering password is also avoided if we install sshpass utility"
	echo "export VAULT_ADDR=http://127.0.0.1:8200;export VAULT_TOKEN=$ROOT_TOKEN"
	echo "vault ssh -role otp_key_role root@127.0.0.1"