Created
April 18, 2017 23:15
-
-
Save AlbinoDrought/f3d473c2b199ac0e32dd78bee09b9277 to your computer and use it in GitHub Desktop.
Vault SSH Secret Backend quick and dirty setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| FILE="client_key" | |
| OUTPUT_FILE="client_key-cert.pub" | |
| echo "Generating new key..." | |
| ssh-keygen -t rsa -f $FILE -N '' | |
| echo "Getting client key signed by Vault..." | |
| cat $FILE.pub | vault write ssh-client-signer/sign/clientrole public_key=- | grep "signed_key" | cut -f 2 > $OUTPUT_FILE | |
| echo "Setting permissions..." | |
| chmod 0600 $FILE | |
| chmod 0640 $OUTPUT_FILE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| FILE="vault_host_key" | |
| OUTPUT_FILE="$FILE-cert.pub" | |
| # /etc for cygwin, probably /etc/ssh for normal people | |
| SSH_PATH="/etc" | |
| SSH_CONFIG="$SSH_PATH/sshd_config" | |
| SSH_HOST_KEY_PATH="$SSH_PATH/vault_host_key" | |
| SSH_HOST_CERT_PATH="$SSH_PATH/vault_host_key-cert.pub" | |
| echo "Generating new key..." | |
| ssh-keygen -t rsa -f $FILE -N '' | |
| echo "Getting host key signed by Vault..." | |
| cat $FILE.pub | vault write ssh-host-signer/sign/hostrole public_key=- cert_type=host | grep "signed_key" | cut -f 2 > $OUTPUT_FILE | |
| echo "Copying files to proper paths..." | |
| cp $FILE $SSH_HOST_KEY_PATH | |
| cp $OUTPUT_FILE $SSH_HOST_CERT_PATH | |
| echo "Setting permissions..." | |
| chmod 0400 $SSH_HOST_KEY_PATH | |
| chmod 0640 $SSH_HOST_CERT_PATH | |
| echo "Updating SSH config..." | |
| echo "HostKey $SSH_HOST_KEY_PATH" >> $SSH_CONFIG | |
| echo "HostCertificate $SSH_HOST_CERT_PATH" >> $SSH_CONFIG | |
| echo "Done! You will probably have to restart ssh for these changes to begin working." | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| FILE="vault-cert-ca.pub" | |
| DOMAIN="*" | |
| echo "Fetching public host key..." | |
| vault read ssh-host-signer/config/ca | grep "public_key" | cut -f 2 > $FILE | |
| echo "@cert-authority $DOMAIN $(cat $FILE)" >> ~/.ssh/known_hosts | |
| echo "Added public host key to known_hosts!" | |
| # The host CA certificate is now configured |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| FILE="trusted-user-ca-keys.pem" | |
| # /etc for cygwin, probably /etc/ssh for normal people | |
| SSH_PATH="/etc" | |
| SSH_TRUSTED_KEY_PATH="$SSH_PATH/$FILE" | |
| SSH_CONFIG="$SSH_PATH/sshd_config" | |
| echo "Fetching public client key..." | |
| vault read ssh-client-signer/config/ca | grep "public_key" | cut -f 2 > $FILE | |
| cp $FILE $SSH_TRUSTED_KEY_PATH | |
| echo "Changing SSH config..." | |
| echo "TrustedUserCAKeys $SSH_TRUSTED_KEY_PATH" >> $SSH_CONFIG | |
| # The client CA certificate is now configured |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
setup-host.shandmake-host-key.share setup for Cygwin hosts (has sshd_config at /etc/sshd_config), SSH_PATH will have to be changed for others.The
setup-host.shscript will probably break if you run it more than once. I would avoid running any of these scripts on a non-development system.