Skip to content

Instantly share code, notes, and snippets.

@prbinu

prbinu/ssh-cert-template-test.sh

Last active December 4, 2021 21:04
Show Gist options
  • Save prbinu/3a2e349eac5d265fd8683fcb01a84028 to your computer and use it in GitHub Desktop.
Save prbinu/3a2e349eac5d265fd8683fcb01a84028 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ssh-cert-template-test.sh
# pre-req: start Vault server (dev)
# Usage: VAULT_TOKEN=<dev-root-token> ./ssh-cert-template-test.sh
vault policy write test -<<EOF
path "ssh-client-signer/sign/my-role"
{
capabilities = ["create", "read", "update"]
}
EOF
vault policy write team-qa -<<EOF
path "ssh-client-signer/sign/my-role"
{
capabilities = ["create", "read", "update"]
}
EOF
vault policy list
# create two users, bob and bsmith in different path (different accessor)
vault auth enable -path="userpass-test" userpass
vault write auth/userpass-test/users/bob password="training" policies="test"
vault auth enable -path="userpass-qa" userpass
vault write auth/userpass-qa/users/bsmith password="training" policies="team-qa"
vault auth list -detailed
vault auth list -format=json | jq -r '.["userpass-test/"].accessor' > accessor_test.txt
vault auth list -format=json | jq -r '.["userpass-qa/"].accessor' > accessor_qa.txt
# setup ssh cert path and role
vault secrets enable -path=ssh-client-signer ssh
vault write ssh-client-signer/config/ca generate_signing_key=true
# the idea is to allow users logged using different (accessor) method (e.g. jwt, userpass, ldap etc.) to use the same SSH role
vault write ssh-client-signer/roles/my-role -<<EOH
{
"allow_user_certificates": true,
"allowed_users": "{{identity.entity.aliases.$(cat accessor_qa.txt).name}},{{identity.entity.aliases.$(cat accessor_test.txt).name}},ubuntu",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "",
"allowed_users_template": true,
"ttl": "30m0s"
}
EOH
# debug statement
vault read -format json ssh-client-signer/roles/my-role
# make sure you have `.ssh/id_rsa.pub` in your home directory
vault write ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub
# this will fail
vault write -field=signed_key ssh-client-signer/sign/my-role \
valid_principals="my-user,ubuntu" \
public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f -
# login as bob
vault login -format=json -method=userpass -path=userpass-test \
username=bob password=training \
| jq -r ".auth.client_token" > bob_token.txt
# this will work, but empty principals
VAULT_TOKEN=$(cat bob_token.txt) vault write -field=signed_key ssh-client-signer/sign/my-role \
public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f -
# this will work
VAULT_TOKEN=$(cat bob_token.txt) vault write -field=signed_key ssh-client-signer/sign/my-role \
valid_principals="bob" \
public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f -
# login as bsmith (different accessor)
vault login -format=json -method=userpass -path=userpass-qa \
username=bsmith password=training \
| jq -r ".auth.client_token" > bsmith_token.txt
# this will work!
VAULT_TOKEN=$(cat bsmith_token.txt) vault write -field=signed_key ssh-client-signer/sign/my-role \
valid_principals="bsmith,ubuntu" \
public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment