Hashicorp Vault — SSH Backend
What is Hashicorp Vault?
Vault was announced with a blog post by Hashimoto on April 28, 2015, and has been used very actively since the day it was announced.
As you all know, we can call Vault ‘’Secret Management’’ in a colloquial manner.
So, what is this Secret? We can conceive of the Secret as the information of which security is important that should not be viewed by others and to which access must be limited and audited, and let us state that our applications will be included in the word ‘’others’’ here. We can securely store the Secret’keys specific to Database passwords, API Tokens, TLS Certificates, SSH Private keys, and Cloud Provider.
Vault SSH Secrets Engine provides secure authentication and authorization to access your servers over SSH protocol.
Vault SSH Secrets Engine supports Signed SSH Certificates and One-Time SSH Password modes. In this post, we will discuss One-time SSH Passwords (OTP).
Vault Installation:
Vault 1.4.3 version, the most up-to-date version when this post was written, was used for the installation. CentOS was preferred as OS.
For installation, let’s download Vault to our server and run it in Development mode.
wget https://releases.hashicorp.com/vault/1.4.3/vault_1.4.3_linux_amd64.zip
unzip vault_1.4.3_linux_amd64.zip -d /usr/local/bin/
vault server -dev -dev-listen-address=IP_ADRESI:8200
Thus, we activated our Vault service on Development mode. To use the Vault service actively, we must first export the VAULT_ADDR definition as an environment variable and Unseal the Vault. It has a single unseal key in development mode. Without Unsealing the Vault, no action can be taken except the Status information of the Vault.
export VAULT_ADDR=’http://IP_ADRESI:8200'
vault operator unseal
Let’s create a Vault SSH Secret Engine:
vault secrets enable ssh
Let’s create the OTP Role:
vault write ssh/roles/otp_key_role \
key_type=otp \
default_user=trendyol \
cidr_list=0.0.0.0/0
Necessary definitions have been made on our vault server. The subsequent definitions will be made on the servers that we want to access with OTP.
Vault SSH Helper:
vault-ssh-helper is part of the vault ssh backend. It enables a server to access with a one-time password during the SSH connection process. It is necessary to install vault-ssh-helper on all servers where SSH access will be managed by Vault. It is also required to make changes to SSH configurations on each server.
We can proceed to Vault-SSH-Helper installation on nodes:
wget https://releases.hashicorp.com/vault-ssh-helper/0.1.6/vault-ssh-helper_0.1.6_linux_amd64.zip
unzip vault-ssh-helper_0.1.6_linux_amd64.zip -d /usr/local/bin/
Let’s make SSH-Helper definitions
mkdir /etc/vault-helper.d/#
cat << EOF > /etc/vault-helper.d/config.hcl
vault_addr = "http://VAULT_IP_ADRESI:8200/"
ssh_mount_point = "ssh"
tls_skip_verify = false
allowed_roles = "*"
allowed_cidr_list="0.0.0.0/0"
EOFLet’s update our PAM File:
The content of the /etc/pam.d/ssh file shall be as follows.
We need to make the following definitions in the /etc/ssh/sshd_config file.
PasswordAuthentication no
UsePAM yes
ChallengeResponseAuthentication yes
After making those definitions specified, we need to restart the sshd service. You can restart the sshd service with the systemctl restart sshd command.
We made the necessary definitions on the nodes and now, we can access our servers with our one-time password by creating an OTP on the vault server.
You can create a new OTP by using vault write ssh/creds/otp_key_role ip=IP_ADRESS command.
You can conduct the OTP creation process over the UI as well as the CLI.
Secrets >> ssh >> otp_key_role
Fist Bump, keep in touch!
