Skip to content

Instantly share code, notes, and snippets.

@kawsark

kawsark/vault-ssh-ca-ansible

Created March 24, 2020 16:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save kawsark/a9443692a9e4a7b1c7df253995ce864c to your computer and use it in GitHub Desktop.
Save kawsark/a9443692a9e4a7b1c7df253995ce864c to your computer and use it in GitHub Desktop.
Download ZIP
Steps to setup Vault SSH CA secrets engine for use with Ansible
Raw
vault-ssh-ca-ansible
# 1. (Optional) Disable SSH and Key/Value secrets engine if they existed.
# NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH
export VAULT_TOKEN=<Admin-or-Root-key>
vault secrets disable ssh
vault secrets disable kv
# 2. Enable SSH secrets engine (Client signer role) and generate a CA
vault secrets enable -path=ssh ssh
vault write -format=json ssh/config/ca generate_signing_key=true | jq -r '.data.public_key' > ./trusted-user-ca-keys.pem
# 3. Update the sshd_config file with the CA
sudo cp ./trusted-user-ca-keys.pem /etc/ssh/trusted-user-ca-keys.pem
echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" | sudo tee --append /etc/ssh/sshd_config
sudo systemctl restart sshd
# 4. Create a SSH Client key signing Role for Ansible with 30 mins validity period
vault write ssh/roles/ansible -<<EOF
{
"allow_user_certificates": true,
"allowed_users": "*",
"default_extensions": [
{
"permit-pty": ""
} ],
"key_type": "ca",
"default_user": "root",
"ttl": "30m0s"
}
EOF
# 5. Enable KV V2 secrets engine and upload a public/private key pair for Ansible
vault secrets enable -version=2 kv
rm -f ansible-key
ssh-keygen -t rsa -b 4096 -f ansible-key -N ""
vault write kv/data/ansible ssh-private-key="$(cat ansible-key)" ssh-public-key="$(cat ansible-key.pub)" ssh-username=root
# 6. Create a policy and Vault token that allows a public key to be signed
echo '
path "ssh/sign/ansible" { capabilities = ["create", "update"] }
path "kv/*" { capabilities = ["read"] }
' | vault policy write ansible-ssh -
vault policy list # Should see ansible-ssh policy
vault secrets list # Should see ssh and kv secrets engine
vault token create -policy=ansible-ssh -period=24h
# 7. Client key signing and performing SSH
export VAULT_TOKEN=<use-token-from-before>
# Preferred method - get public/private key in Vault then sign it
vault write -field=signed_key ssh/sign/ansible public_key="$(vault kv get -field=ssh-public-key kv/ansible)" > signed-cert.pub.signed
ssh -i signed-cert.pub.signed -i "$(vault kv get -field=ssh-private-key kv/ansible)" root@managed-host
# Alternatively, sign a local public/private key pair
vault write -field=signed_key ssh/sign/ansible public_key=@ansible-key.pub > signed-cert.pub.signed
ssh -i signed-cert.pub.signed -i ansible-key root@managed-host
# 8. Rotate Ansible key: upload new public / private key pair
rm -f ansible-key
ssh-keygen -t rsa -b 4096 -f ansible-key -N ""
vault write kv/data/ansible ssh-private-key="$(cat ansible-key)" ssh-public-key="$(cat ansible-key.pub)" ssh-username=root
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment