There are two main ways of manage SSH access with Vault:
Official Docs
Vault, the Vault server.
User, the user that wants to access to a server.
Host, the server that the user wants to access.
- With this approach, Vault generate a pair of keys to sign the user keys.
- The hosts must be configured to trust the public key of Vault, by adding it to the
TrustedUserCAKeys option in the sshd_config file.
This way, when a user wants to access to a server:
- She generate a key pair and, after authenticating with Vault, she send the public key to Vault.
- Vault will sign the key and return it to the User.
- The User will use the signed key to access to the Host.
- The Host will check the signature of the key with the public key of Vault and will allow the access.
With this approach, when generating user the key pair, the user can specify the TTL of the key, so it will be valid only for that time.
sequenceDiagram
participant U as User
participant V as Vault
participant H as Host
Note over U,V: User generates a key pair
U->>+V: Sends public key to Vault
Note over V: Vault authenticates User
V->>-U: Signs key and returns it
U->>+H: Uses signed key to access Host
Note over H: Host checks key signature with Vault's public key
H->>-U: Grants access
- Enable host key signing in Vault. This will make Vault to check host key of the Host before signing the user key.
- This can be achieved by creating a role for sign SSH keys, signing the host key and adding it to as a HostCertificate in the Host.
- We sign the key from the Host with Vault.
- We need to add the host key to Host.
- We need to enable HostKey and HostCertificate in the
sshd_config file of the Host.
This can be done with an Ansible role that will be executed in the Host, communicating with Vault to send the host key, get it signed, store it and configure the sshd_config file.
Official Docs and Tutorial
Vault Server, the Vault server.
Vault Agent, the Vault agent that will be running in the host.
User, the user that wants to access to a server.
Host, the server that the user wants to access.
- With this approach, every host has a Vault Agent that communicates with Vault Server.
-
The User asks Vault Server for a OTP password.
- Vault Server generates a OTP password and returns it to the User.
-
The User uses the OTP password to access to the Host.
- The Vault Server will check the OTP password and, if it is valid, allow the access.
- Also, it will remove the OTP password from the list of valid passwords.
sequenceDiagram
participant U as User
participant VS as Vault Server
participant VA as Vault Agent
participant H as Host
U->>+VS: Asks for OTP password
VS-->>-U: Generates and returns OTP password
U->>+H: Uses OTP password to access Host
Note over H,VA: Host has Vault Agent running
VA->>+VS: Checks OTP password
VS-->>+VA: Validates OTP password
Note over VS: If valid, allows access and removes OTP from valid list
VA->>-H: Grants access
- The Vault Agent must be running in the host.
- Less secure as the connection with the Vault Server can be spoofed unless the Vault Agent is configured to use TLS and check the certificate of the Vault Server.