README
¶
====
vssh
====
:Author: Stephane Martin
.. contents::
:depth: 1
..
.. section-numbering::
introduction
============
``vssh`` is a SSH client that uses Hashicorp's vault to authenticate with SSH
certificates.
How it works:
* first of all you need to configure the SSH certificate authority in Vault
(see `Vault documentation <https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html>`_)
- inject the CA private and public keys into Vault
- configure the target OpenSSH servers to accept keys signed by the CA
* just as with an usual SSH client, specify to vssh
- which server you want to connect to
- witch which remote user
- witch private key to use
* say how to to connect to Vault
- Vault address
- Vault authentication (token, login/password, ...)
* say which SSH signing role to use in Vault
vssh will then
* submit your SSH private key to vault for signing
* fetch the signed SSH certificate from vault
* use the private key and the certificate to authenticate and connect to the
remote SSH server
vssh can open an interactive shell on the remote server, or execute a command.
install
=======
Nothing special. Just copy the binary into your PATH.
compile
=======
The dependencies are vondored using `dep <https://golang.github.io/dep/>`_. You
do not need it to compile vssh. Just clone in an appropriate directoty (GOROOT)
and run ``make release``.
.. code-block:: bash
mdkir -p ~/go/src/github.com/stephane-martin
cd ~/go/src/github.com/stephane-martin
git clone https://github.com/stephane-martin/vssh
cd vssh
make release
develop
=======
* Clone the repository in an appropriate go directory.
* Install `dep <https://golang.github.io/dep/>`_ and
`golangci-lint <https://github.com/golangci/golangci-lint>`_.
* Compile with ``make debug`` and lint with ``make lint``.
usage
=====
vssh can open an interactive SSH session (``vssh ssh``), execute a remote
command (``vssh ssh``), and download (``vssh download``) / upload (``vssh upload``)
files using the scp protocol.
Most of command line options can be specified with environnemt variables instead.
Check ``vssh --help`` for details.
global options
--------------
The global options are useful for the different vssh commands. They configure
the connection to Vault.
+-----------------------+--------------------------------+----------------------------------------------------------------+
| **Global option** | **Value Example** | **Definition** |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-addr`` | ``http://127.0.0.1:8200`` | vault connection URL |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-method`` | ``userpass`` | vault authentication method [token, userpass, ldap, approle] |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-username`` | ``myvaultuser`` | username for vault authentication |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-password`` | ``myvaultpass`` | password for vault authentication |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-ssh-role`` | ``myrole`` | name of the SSH sign role you have configured in Vault |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-token`` | ``s.lIz3muuaUOZe424j2ZI5GTDK`` | token for vault authentication |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-ssh-mount`` | ``ssh-client-signer`` | the path to the SSH signer in Vault |
+-----------------------+--------------------------------+----------------------------------------------------------------+
| ``--vault-auth-path`` | ``custompath`` | if the Vault authentication method is mounted to a custom path |
+-----------------------+--------------------------------+----------------------------------------------------------------+
interactive SSH session
-----------------------
.. code-block:: bash
vssh [global options] ssh [ssh options] user@host
vssh ssh --help
vssh needs a private key to send to Vault for signature. You can give it:
* a private key that is stored locally on your filesystem with ``--identity``
* or a private key stored in vault with ``--videntity``
vssh will ask for a passphrase if the private key is stored in encrypted form.
+-----------------+----------------------------+---------------------------------------------------------+
| **SSH option** | **Value Example** | **Definition** |
+-----------------+----------------------------+---------------------------------------------------------+
| ``--identity`` | ``/path/to/id_rsa`` | file path to the SSH private key that should be signed |
+-----------------+----------------------------+---------------------------------------------------------+
| ``--videntity`` | ``secret/id_rsa_in_vault`` | Vault path to the SSH private key that should be signed |
+-----------------+----------------------------+---------------------------------------------------------+
| ``--insecure`` | | do not check the SSH server host key |
+-----------------+----------------------------+---------------------------------------------------------+
| ``--native`` | | use the local ``ssh`` binary to make the connection |
+-----------------+----------------------------+---------------------------------------------------------+
| ``--terminal`` | | force pseudo-terminal allocation |
+-----------------+----------------------------+---------------------------------------------------------+
| ``--ssh-port`` | ``22`` | SSH server listen port |
+-----------------+----------------------------+---------------------------------------------------------+
| ``--login`` | ``admin`` | alternate way to specify the remote user |
+-----------------+----------------------------+---------------------------------------------------------+
remote command
--------------
.. code-block:: bash
vssh [global options] ssh [ssh options] user@host command
vssh [global options] ssh -t [ssh options] user@host command
Just put the command the execute at the end of the ``vssh ssh`` command line.
If the command is meant to be interactive, then you need to add the ``-t`` flag.
For example, to launch an alternate shell:
.. code-block:: bash
vssh ssh -t me@remote zsh
It is also possible to inject some Vault secrets into the remote command environment,
similarly to ``--envconsul``, with the following flags:
+----------------+-------------------+------------------------------------------------------------+
| **SSH option** | **Value Example** | **Definition** |
+----------------+-------------------+------------------------------------------------------------+
| ``--secret`` | ``secret/path`` | path of a secret to read from Vault |
+----------------+-------------------+------------------------------------------------------------+
| ``--upcase`` | | convert environment variable keys to UPPERCASE |
+----------------+-------------------+------------------------------------------------------------+
| ``--prefix`` | | prefix the environment variable keys with names of secrets |
+----------------+-------------------+------------------------------------------------------------+
download
--------
.. code-block:: bash
vssh [global options] download [download options] --target file1 [--target file2...] user@host
vssh download --help
Specify the remote files/directories you want to download with the ``--target``
flag. It can appear multiple times.
Specify the local destination path with the ``--destination`` flag.
The other flags are similar to the ``vssh ssh`` command.
+---------------------+----------------------------+---------------------------------------------------------+
| **download option** | **Value Example** | **Definition** |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--identity`` | ``/path/to/id_rsa`` | file path to the SSH private key that should be signed |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--videntity`` | ``secret/id_rsa_in_vault`` | Vault path to the SSH private key that should be signed |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--insecure`` | | do not check the SSH server host key |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--target`` | ``remotefile`` | path to the remote file to be downloaded |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--destination`` | ``/tmp`` | local destination path |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--ssh-port`` | ``22`` | SSH server listen port |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--login`` | ``admin`` | alternate way to specify the remote user |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--preserve`` | | preserve file mode, access time and modification time |
+---------------------+----------------------------+---------------------------------------------------------+
upload
------
.. code-block:: bash
vssh [global options] upload [upload options] user@host
vssh upload --help
Specify the local files/directories you want to upload with the ``--source``
flag. It can appear multiple times.
Specify the remote destination path with the ``--destination`` flag.
The other flags are similar to the ``vssh ssh`` command.
+---------------------+----------------------------+---------------------------------------------------------+
| **download option** | **Value Example** | **Definition** |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--identity`` | ``/path/to/id_rsa`` | file path to the SSH private key that should be signed |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--videntity`` | ``secret/id_rsa_in_vault`` | Vault path to the SSH private key that should be signed |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--insecure`` | | do not check the SSH server host key |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--source`` | ``localfile`` | path to the local file to be uploaded |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--destination`` | ``/tmp`` | remote destination path |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--ssh-port`` | ``22`` | SSH server listen port |
+---------------------+----------------------------+---------------------------------------------------------+
| ``--login`` | ``admin`` | alternate way to specify the remote user |
+---------------------+----------------------------+---------------------------------------------------------+
as a library
------------
TODO
examples
========
Let's assume you have configured a few environment variables, to avoid
repetition in the examples.
.. code-block:: bash
export VAULT_ADDR=https://vault.example.org:8200
export VAULT_SSH_MOUNT=ssh-client-signer
export VAULT_SIGNING_ROLE=my-vault-ssh-role
With such variables, vssh knowns:
* how to connect to the Vault server instance
* which certificate authority to use in Vault
* which SSH role to use in Vault to produce the certificates
Let's also assume you have generated a SSH private key for your local current
user::
ssh-keygen
single sign on
--------------
Open a terminal, then authenticate yourself with Vault:
.. code-block:: bash
vault login -method=userpass username=bob
The ``vault login`` command writes the resulting token in ``~/.vault_token``.
If you don't specify to vssh how to authenticate to Vault, by default it will
use that token.
You can then SSH to any server that recognizes the Vault CA:
.. code-block:: bash
vssh ssh me@myserver.example.org
execute a remote command
------------------------
.. code-block:: bash
vssh ssh me@myserver.example.org ls -al /
execute a remote command in a pseudo-terminal
---------------------------------------------
.. code-block:: bash
vssh ssh -t me@myserver.example.org zsh
inject Vault secrets in the remote session
------------------------------------------
Now let's say you want to execute a remote command on a server, but some
part of the configuration for that command is stored in Vault.
``vssh`` can work similar to ``envconsul``:
.. code-block:: bash
vssh ssh --secret secret/mysecret me@myserver.example.org backupcommand
**Locally**, ``vssh`` will read the required secret from Vault. Then it opens the SSH
connection. Then the command will be executed, with environment variables
corresponding to the secrets.
So, if ``secret/mysecret`` is something like::
foo=bar
ZOG=ZOG
then vssh executes on the remote SSH server:
.. code-block:: bash
env foo=bar ZOG=ZOG backupcommand
with the additional ``--upcase`` flag, it becomes:
.. code-block:: bash
env FOO=bar ZOG=ZOG backupcommand
or with the additional ``--prefix`` flag it becomes:
.. code-block:: bash
env secret_mysecret_foo=bar secret_mysecret_ZOG=ZOG backupcommand
Your remote SSH environment doesn't have to know anything about Vault by itself.
questions
=========
what does the ``--native`` flag do ?
------------------------------------
By default vssh uses an internal SSH client implemented in Go.
* Go implementation, so vssh does not need to launch another process.
* Might behave differently compared to the native ssh command.
* Does not read ``.ssh/config``.
* The signed certificate is not written to the filesystem, it is passed
directly to the SSH client in memory.
With ``--native``, vssh wraps the native ``ssh`` binary. It can be useful it you
wish to enable the native configuration of the SSH client (``man 5 ssh_config``).
* there vssh launches a SSH subprocess
* the SSH subprocess will read ssh_config as usual
* to pass the signed certificate to SSH, vssh has to write it to the filesystem
(it will be removed at the end of execution)
what should be the TTL for signed certificates ?
------------------------------------------------
Very short. After Vault has signed the SSH certificate, vssh uses that certificate
immediatly and only once. Every time vssh is executed, another certificate will
be created. So in theory, a TTL of a few seconds is just enough.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.