SSH CA problem

599 views
Skip to first unread message

Robin Gruyters

unread,
Mar 31, 2017, 3:48:58 AM3/31/17
to Vault
Hi,

I'm trying to setup SSH CA in my testenvironment. I have two servers both running Ubuntu latest LTS release, 16.04, and Vault 0.7 running on one of the servers.
ubuntu-01 in my is the remote server and ubuntu-02 is the client server.

I have generated with Vault the host CA key and added to both servers in the /etc/ssh/ssh_known_hosts with "@cert-authority *.local" in front of it. Then signed the host public rsa key, https://www.vaultproject.io/docs/secrets/ssh/index.html#sign-the-host-key, from ubuntu-01 and added "HostCertificate /etc/ssh/ssh_host_rsa-signed.pub".
Tested if the host CA works and that is fine. No prompt to validate the host key.

Then I have generated with Vault the client CA key and added it to a file /etc/ssh/ssh_trusted_keys.pub on ubuntu-01. Then I have updated the /etc/ssh/sshd_config to add "TrustedUserCAKeys /etc/ssh/ssh_trusted_keys.pub" on ubuntu-01.

Last but not I have signed my own public key by following the step, https://www.vaultproject.io/docs/secrets/ssh/index.html#sign-the-client-key.
When I try to SSH to ubuntu-01 it prompts for password:

$ ssh -i .ssh/id_rsa-signed.pub ubuntu-01.local
ro...@ubuntu-01.local's password:

If I check the /var/log/auth.log I see the following message:
..
Mar 31 09:45:39 ubuntu-01 sshd[31072]: error: key_cert_check_authority: invalid certificate
Mar 31 09:45:39 ubuntu-01 sshd[31072]: error: Certificate lacks principal list
..

What am I doing wrong?

Jeff Mitchell

unread,
Mar 31, 2017, 5:17:07 PM3/31/17
to Vault
Note: being tracked in https://github.com/hashicorp/vault/issues/2551 instead.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/94e0ea9d-ad73-49bc-b8c4-b39b8b8e8f95%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages