junaid18183 · May 10, 2020 11:11
diff --git a/vault_ssh_otp_demo.sh b/vault_ssh_otp_demo.sh
 #!/bin/bash
 download_vault(){
 wget https://releases.hashicorp.com/vault/0.9.1/vault_0.9.1_linux_amd64.zip?_ga=2.165144251.566422628.1516357846-2059600638.1516357846 -O vault_0.9.1_linux_amd64.zip
 apt-get install -y zip
 unzip vault_0.9.1_linux_amd64.zip
 mv vault /usr/local/bin/
 rm vault_0.9.1_linux_amd64.zip
 }
 ########################
 download_ssh_helper(){
 wget --no-check-cert https://releases.hashicorp.com/vault-ssh-helper/0.1.3/vault-ssh-helper_0.1.3_linux_amd64.zip
 unzip vault-ssh-helper_0.1.3_linux_amd64.zip
 mv vault-ssh-helper /usr/local/bin/
 rm vault-ssh-helper_0.1.3_linux_amd64.zip

 mkdir /etc/vault-ssh-helper.d

 cat <<- EOF > /etc/vault-ssh-helper.d/config.hcl
 vault_addr = "http://127.0.0.1:8200"
 ssh_mount_point = "ssh"
 tls_skip_verify = false
 allowed_roles = "*"
 EOF

 echo "Setting up the sshd_config file"
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
 sed -i 's|ChallengeResponseAuthentication no|ChallengeResponseAuthentication yes|g' /etc/ssh/sshd_config
 sed -i 's|UsePAM no|UsePAM yes|g' /etc/ssh/sshd_config
 sed -i 's|PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
 echo "verify below o/p should be yes/yes/no"
 grep ChallengeResponseAuthentication /etc/ssh/sshd_config | grep -v "#"  
 grep UsePAM /etc/ssh/sshd_config | grep -v "#"
 grep PasswordAuthenticatio /etc/ssh/sshd_config | grep -v "#"

 echo "Setting up the /etc/pam.d/sshd file"
 cp /etc/pam.d/sshd /etc/pam.d/sshd.orig
 rm /etc/pam.d/sshd
 cat <<- EOF > /etc/pam.d/sshd
 #@include common-auth
 auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl
 auth optional pam_unix.so not_set_pass use_first_pass nodelay
 EOF

 service sshd restart

 }

 ########################
 create_vault_config_file(){
 cat <<- EOF > vault-server.hcl
 backend "file" {
 path = "/opt/vault-file-system"
 }

 listener "tcp" {
 address = "0.0.0.0:8200"
 tls_disable = 1
 }
 disable_mlock = false
 EOF
 }
 ########################
 start_vault(){
 #PID=$(ps aux | grep vault | grep -v grep | awk '{print $2}')
 #kill -9 $PID
 vault server -config=vault-server.hcl -log-level=debug >> /var/log/vault.log 2>&1 &
 echo "Vault server started. Logs are at /var/log/vault.log. Path of vault file is /opt/vault-file-system"
 }
 ########################
 vault_init (){
 export VAULT_ADDR=http://127.0.0.1:8200
 vault init | tee tokens.txt
 ROOT_TOKEN=$(grep "Initial Root Token" tokens.txt | awk -F: '{print $2}')
 export VAULT_TOKEN=$ROOT_TOKEN
 for i in 1 2 3; do
    T=$(grep "Unseal Key $i" tokens.txt |awk -F: '{print $2}')
    vault unseal $T
 done
 }
 ########################################################
 echo "download_vault"
 download_vault
 sleep 3
 echo "download_ssh_helper"
 download_ssh_helper
 sleep 3
 echo "create_vault_config_file"
 create_vault_config_file
 sleep 3
 echo "start_vault"
 start_vault
 sleep 3
 echo "vault_init"
 vault_init
 sleep 3
 vault mount ssh
 vault write ssh/roles/otp_key_role key_type=otp default_user=root cidr_list=0.0.0.0/0
 vault read ssh/roles/otp_key_role
 vault write ssh/creds/otp_key_role ip=127.0.0.1
 echo "Now try to login to 127.0.0.1 using root with the OTP listed above"
 sleep 5
 echo "You can take it ,one step further and automate the above task"
 echo "use below command to ssh to localhost. The OTP will be listed in the prompt. The entering password is also avoided if we install sshpass utility"
 echo "export VAULT_ADDR=http://127.0.0.1:8200;export VAULT_TOKEN=$ROOT_TOKEN"
 echo "vault ssh -role otp_key_role [email protected]"
	#!/bin/bash
	download_vault(){
	wget https://releases.hashicorp.com/vault/0.9.1/vault_0.9.1_linux_amd64.zip?_ga=2.165144251.566422628.1516357846-2059600638.1516357846 -O vault_0.9.1_linux_amd64.zip
	apt-get install -y zip
	unzip vault_0.9.1_linux_amd64.zip
	mv vault /usr/local/bin/
	rm vault_0.9.1_linux_amd64.zip
	}
	########################
	download_ssh_helper(){
	wget --no-check-cert https://releases.hashicorp.com/vault-ssh-helper/0.1.3/vault-ssh-helper_0.1.3_linux_amd64.zip
	unzip vault-ssh-helper_0.1.3_linux_amd64.zip
	mv vault-ssh-helper /usr/local/bin/
	rm vault-ssh-helper_0.1.3_linux_amd64.zip

	mkdir /etc/vault-ssh-helper.d

	cat <<- EOF > /etc/vault-ssh-helper.d/config.hcl
	vault_addr = "http://127.0.0.1:8200"
	ssh_mount_point = "ssh"
	tls_skip_verify = false
	allowed_roles = "*"
	EOF

	echo "Setting up the sshd_config file"
	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
	sed -i 's\|ChallengeResponseAuthentication no\|ChallengeResponseAuthentication yes\|g' /etc/ssh/sshd_config
	sed -i 's\|UsePAM no\|UsePAM yes\|g' /etc/ssh/sshd_config
	sed -i 's\|PasswordAuthentication yes\|PasswordAuthentication no\|g' /etc/ssh/sshd_config
	echo "verify below o/p should be yes/yes/no"
	grep ChallengeResponseAuthentication /etc/ssh/sshd_config \| grep -v "#"
	grep UsePAM /etc/ssh/sshd_config \| grep -v "#"
	grep PasswordAuthenticatio /etc/ssh/sshd_config \| grep -v "#"

	echo "Setting up the /etc/pam.d/sshd file"
	cp /etc/pam.d/sshd /etc/pam.d/sshd.orig
	rm /etc/pam.d/sshd
	cat <<- EOF > /etc/pam.d/sshd
	#@include common-auth
	auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl
	auth optional pam_unix.so not_set_pass use_first_pass nodelay
	EOF

	service sshd restart

	}

	########################
	create_vault_config_file(){
	cat <<- EOF > vault-server.hcl
	backend "file" {
	path = "/opt/vault-file-system"
	}

	listener "tcp" {
	address = "0.0.0.0:8200"
	tls_disable = 1
	}
	disable_mlock = false
	EOF
	}
	########################
	start_vault(){
	#PID=$(ps aux \| grep vault \| grep -v grep \| awk '{print $2}')
	#kill -9 $PID
	vault server -config=vault-server.hcl -log-level=debug >> /var/log/vault.log 2>&1 &
	echo "Vault server started. Logs are at /var/log/vault.log. Path of vault file is /opt/vault-file-system"
	}
	########################
	vault_init (){
	export VAULT_ADDR=http://127.0.0.1:8200
	vault init \| tee tokens.txt
	ROOT_TOKEN=$(grep "Initial Root Token" tokens.txt \| awk -F: '{print $2}')
	export VAULT_TOKEN=$ROOT_TOKEN
	for i in 1 2 3; do
	T=$(grep "Unseal Key $i" tokens.txt \|awk -F: '{print $2}')
	vault unseal $T
	done
	}
	########################################################
	echo "download_vault"
	download_vault
	sleep 3
	echo "download_ssh_helper"
	download_ssh_helper
	sleep 3
	echo "create_vault_config_file"
	create_vault_config_file
	sleep 3
	echo "start_vault"
	start_vault
	sleep 3
	echo "vault_init"
	vault_init
	sleep 3
	vault mount ssh
	vault write ssh/roles/otp_key_role key_type=otp default_user=root cidr_list=0.0.0.0/0
	vault read ssh/roles/otp_key_role
	vault write ssh/creds/otp_key_role ip=127.0.0.1
	echo "Now try to login to 127.0.0.1 using root with the OTP listed above"
	sleep 5
	echo "You can take it ,one step further and automate the above task"
	echo "use below command to ssh to localhost. The OTP will be listed in the prompt. The entering password is also avoided if we install sshpass utility"
	echo "export VAULT_ADDR=http://127.0.0.1:8200;export VAULT_TOKEN=$ROOT_TOKEN"
	echo "vault ssh -role otp_key_role [email protected]"