vault-ssh-plus (vssh)
An enhanced implementation of vault ssh
, wrapping the OpenSSH ssh
client to eliminate the management overhead of using of short-lived SSH client keys CA-signed by @hashicorp Vault.
Features
- Support for all
ssh(1)
capabilities, including:
- non-filesystem private keys (e.g.
gpg-agent
, PKCS#11, etc.);
- arbitrary
ssh_config(5)
configuration (e.g. Host
aliases and Match
clauses);
ControlMaster
connection sharing.
- Automatic and transparent just-in-time delivery of short-lived, CA-signed, single-use
ssh
client keys.
- Adherence to the Principal of Least Privilege: by default, signed keys only permit the specific extensions required for the
ssh
options given.
- Automatic username mapping for Vault roles with a single, fixed entry in
allowed_users
(e.g. root
, jenkins
, ansible
).
- Significantly lower memory overhead than
vault ssh
.
Requirements
- A HashiCorp Vault instance configured for SSH Client Key Signing, access to an appropriate role, and an SSH server configured to trust the Vault CA.
- An active Vault token (either in the
VAULT_TOKEN
environment variable, or – if the standard vault
binary is available within $PATH
– available from a Vault Token Helper). The VAULT_ADDR
environment variable must also be set.
- OpenSSH 7.2 or newer
ssh
client binary.
Usage
In addition to all the options accepted by ssh(1)
, vssh
accepts the following options:
$ vssh --help
Usage:
vssh [options] destination [command]
Application Options:
--mode=[sign|issue] Mode (default: issue) [$VAULT_SSH_MODE]
--type=[rsa|ec|ed25519] Preferred key type (default: ed25519) [$VAULT_SSH_KEY_TYPE]
--bits=[0|2048|3072|4096|256|384|521] Key bits for 'issue' mode (default: 0) [$VAULT_SSH_KEY_BITS]
--path= Vault SSH mountpoint (default: ssh) [$VAULT_SSH_PATH]
--role= Vault SSH role (default: <ssh-username>) [$VAULT_SSH_ROLE]
--ttl= Vault SSH certificate TTL (default: 300) [$VAULT_SSH_TTL]
-P, --public-key= Path to preferred public key for 'sign' mode [$VAULT_SSH_PUBLIC_KEY]
--version Show version
Certificate Extensions:
--default-extensions Disable automatic extension calculation and request signer-default extensions [$VAULT_SSH_DEFAULT_EXTENSIONS]
--agent-forwarding Force permit-agent-forwarding extension [$VAULT_SSH_AGENT_FORWARDING]
--port-forwarding Force permit-port-forwarding extension [$VAULT_SSH_PORT_FORWARDING]
--no-pty Force disable permit-pty extension [$VAULT_SSH_NO_PTY]
--user-rc Enable permit-user-rc extension [$VAULT_SSH_USER_RC]
--x11-forwarding Force permit-X11-forwarding extension [$VAULT_SSH_X11_FORWARDING]
Help Options:
-h, --help Show this help message
If you need to override the SSH Client Key Signing mountpoint or role, this is most easily achieved by setting the VAULT_SSH_PATH
and VAULT_SSH_ROLE
environment variables in your shell rc.
If your Vault SSH mountpoint isn't configured with a role matching the target SSH username, you will need to specify the Vault SSH role to use (e.g. export VAULT_SSH_ROLE=self
or vssh --role=self host
if you're using a role named self
configured with templated allowed_users
).
In issue
mode (the default), the client will retrieve an ephemeral keypair from Vault, exposed to ssh(1)
via an internal SSH agent.
In sign
mode, the client will sign the public key specified, defaulting to the first key added into ssh-agent(1)
(preferring the first of type matching VAULT_SSH_KEY_TYPE
).
The certificate will be requested with only those extensions required for the current command (default permit-pty
unless -N
is specified). Additional extensions may be requested (e.g. to support expected future multiplexed connections) with the "Certificate Extensions" arguments, or the Vault role default extensions may be forced with --default-extensions
.
Examples
The following will request that an existing ed25519 public key be signed by the Vault signer at https://vault.example.com:8200/v1/ssh-client-signer/sign/default
, with (automatic) permit-pty
and permit-port-forwarding
extensions to support the connection to host.example.com
:
$ ssh-add ~/.ssh/id_ed25519
$ export VAULT_ADDR=https://vault.example.com:8200
$ export VAULT_SSH_PATH=ssh-client-signer
$ export VAULT_SSH_ROLE=default
$ export VAULT_SSH_MODE=sign
$ vault login
...
$ vssh -L8080:localhost:80 host.example.com
...
The following will request that an ephemeral ecdsa keypair with a (default) 256-bit private key be generated by the Vault issuer at https://vault.example.com/v1/ssh/issue/root
, and used to run the id
command on host2.example.com
as root
:
$ export VAULT_ADDR=https://vault.example.com
$ export VAULT_SSH_KEY_TYPE=ec
$ vault login
...
$ vssh root@host2.example.com id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
Installation
Manual
Download and extract the latest release.
macOS
brew install isometry/tap/vault-ssh-plus
Ansible
If you've already installed my release-from-github role:
ansible -m import_role -a name=release-from-github -e release_repo=isometry/vault-ssh-plus -e release_hashicorp_style=yes localhost
Arch Linux
vault-ssh-plus has been added to the AUR repository, and can be found at https://aur.archlinux.org/packages/vault-ssh-plus-bin
.
Either install via makepkg, or your favourite AUR helper.
Nix / NixOS
vault-ssh-plus
is available in nixpkgs:
nix-env -iA nixpkgs.vault-ssh-plus
Troubleshooting
Refer to the Vault Documentation