SSH Backend & Signed SSH Keys
326 views
Skip to first unread message
Oliver Legg
Oct 26, 2015, 3:52:44 PM10/26/15
to Vault
Has any thought been given to using a SSH CA as a Vault Backend? Either as a standalone backend or as a replacement to the existing one?
Firstly, I should say I haven’t deployed and used Vault or SSH CA’s in anger – so take all of this with a grain of salt. I stumbled upon some articles today that SSH Keys could be signed by a Certificate Authority[1][2]. Apparently[3] it’s been in there since 2011.
From reading the Vault documentation, it seems like this could at least replace the “Dynamic” key type and alleviate the need to have vault modify the authorized_keys file on the remote host. It would also mean that only the client would need access to Vault, and not the server.
Arguably it could also be used to replace the OTP key type as these keys could be configured with a short validity period (lease duration) – although that would change the semantics of the current backend.
CA signed keys would continue to suffer from the drawbacks of “Dynamic” keys listed in the documentation.
I’d be interested to hear people’s thoughts on this.
Thanks
---
[1]: https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu
[2]: http://www.lorier.net/docs/ssh-ca
[3]: http://security.stackexchange.com/questions/30396/how-to-set-up-openssh-to-use-x509-pki-for-authentication#comment-113387
[4]: https://godoc.org/golang.org/x/crypto/ssh#Certificate.SignCert
Firstly, I should say I haven’t deployed and used Vault or SSH CA’s in anger – so take all of this with a grain of salt. I stumbled upon some articles today that SSH Keys could be signed by a Certificate Authority[1][2]. Apparently[3] it’s been in there since 2011.
From reading the Vault documentation, it seems like this could at least replace the “Dynamic” key type and alleviate the need to have vault modify the authorized_keys file on the remote host. It would also mean that only the client would need access to Vault, and not the server.
Arguably it could also be used to replace the OTP key type as these keys could be configured with a short validity period (lease duration) – although that would change the semantics of the current backend.
CA signed keys would continue to suffer from the drawbacks of “Dynamic” keys listed in the documentation.
I’d be interested to hear people’s thoughts on this.
Thanks
---
[1]: https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu
[2]: http://www.lorier.net/docs/ssh-ca
[3]: http://security.stackexchange.com/questions/30396/how-to-set-up-openssh-to-use-x509-pki-for-authentication#comment-113387
[4]: https://godoc.org/golang.org/x/crypto/ssh#Certificate.SignCert
Armon Dadgar
Oct 27, 2015, 3:07:54 PM10/27/15
to Oliver Legg, vault...@googlegroups.com
Hey Oliver,
We haven’t really considered going down that path. We recommend using the OTP path as it
has the least number of drawbacks and is arguably much simpler overall. PKI introduces many
new challenges and SSH with CA’s is not commonly deployed.
I think it would certainly be possible, and most of the functionality is already there give the
SSH and PKI backends, however I think the OTP approach is much simpler to reason about.
Hope that helps!
Best Regards,
Armon Dadgar
[4]: https://godoc.org/golang.org/x/crypto/ssh#Certificate.SignCert--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/E9BD6769-627B-45A3-8CA5-A73EC42EC07B%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages