Simplifying Vault auth for locally authenticated users
240 views
Skip to first unread message
Rhinoceros Sondaicus
Feb 15, 2017, 5:27:00 PM2/15/17
to Vault
Hi,
We are using Vault with Ansible (jhaals/ansible-vault + ansible-modules-hashivault). Vault server runs on the Ansible control node, and is not accessible from outside. The workflow is the following:
- operator SSHs into an Ansible control node;
- operator authenticates himself with Vault (using LDAP);
- operator runs Ansible playbooks that use Vault for secrets management;
- operator logs out.
The problem here is that the operator in fact has to authenticate twice using the same credentials (LDAP is used for UNIX authentication at the control box). Couldn't the process be simplified? As soon as the operator's identity is *already* established, couldn't he be automatically granted a Vault token that would be valid during the current SSH session only?
The similar approach is used in GNOME desktop environment. There's a service called GNOME Keyring - it's a secure secrets storage for desktop applications. The keyring is automatically unlocked should the PAM login succeed. Can't we use the same approach with Vault? (keeping in mind that "unlocking a keyring" is in fact unsealing in terms of Vault, and what we need is not unsealing but rather authentication).
The process of unlocking GNOME keyring is implemented with PAM module that communicates with gnome-keyring-daemon. I can imagine similar architecture for Vault. Do you think it's viable?
Thx
We are using Vault with Ansible (jhaals/ansible-vault + ansible-modules-hashivault). Vault server runs on the Ansible control node, and is not accessible from outside. The workflow is the following:
- operator SSHs into an Ansible control node;
- operator authenticates himself with Vault (using LDAP);
- operator runs Ansible playbooks that use Vault for secrets management;
- operator logs out.
The problem here is that the operator in fact has to authenticate twice using the same credentials (LDAP is used for UNIX authentication at the control box). Couldn't the process be simplified? As soon as the operator's identity is *already* established, couldn't he be automatically granted a Vault token that would be valid during the current SSH session only?
The similar approach is used in GNOME desktop environment. There's a service called GNOME Keyring - it's a secure secrets storage for desktop applications. The keyring is automatically unlocked should the PAM login succeed. Can't we use the same approach with Vault? (keeping in mind that "unlocking a keyring" is in fact unsealing in terms of Vault, and what we need is not unsealing but rather authentication).
The process of unlocking GNOME keyring is implemented with PAM module that communicates with gnome-keyring-daemon. I can imagine similar architecture for Vault. Do you think it's viable?
Thx
Vishal Nayak
Feb 15, 2017, 5:54:58 PM2/15/17
to vault...@googlegroups.com
Hi Rhinoceros,
Having a PAM module authenticate users against Vault is not a great
solution to the problem of getting the first token, since PAM modules
are very platform specific.
Regarding operator's identity already being established, what matters
is with whom is the identity already established. Vault has no way to
know about UNIX authentication being successful and will never rely on
such factors to issue a token.
Off of the existing feature set of Vault, the only way I see to not
"manually" authenticate the second time is to use aws-ec2 auth backend
in Vault. But that only works if the control node is an AWS EC2
instance.
Regards,
Vishal
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/1b1f50ea-3cf5-4caa-98b7-4c5cf5fa51f1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
Having a PAM module authenticate users against Vault is not a great
solution to the problem of getting the first token, since PAM modules
are very platform specific.
Regarding operator's identity already being established, what matters
is with whom is the identity already established. Vault has no way to
know about UNIX authentication being successful and will never rely on
such factors to issue a token.
Off of the existing feature set of Vault, the only way I see to not
"manually" authenticate the second time is to use aws-ec2 auth backend
in Vault. But that only works if the control node is an AWS EC2
instance.
Regards,
Vishal
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/1b1f50ea-3cf5-4caa-98b7-4c5cf5fa51f1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
Rhinoceros Sondaicus
Feb 16, 2017, 5:57:24 AM2/16/17
to Vault
Hi Vishal, thanks for the response,
OK, I've got the point. Unfortunately, we're not using EC2.
Regardless of what's ATM implemented in Vault and what's not, could we discuss some hypothetical models?
I remember one guy here once mentioned KeyCloak. We're using it in the infrastructure, and I'm myself a contributor to the KeyCloak project. From what I know, it shouldn't be that hard to integrate it with Vault (provided that app roles in Vault are capable of issuing tokens on their own). The workflow could look like the following:
- the user logs into KeyCloak and goes to account page;
- the user selects "Personal keys" tab and obtains Vault token from there (just like GitHub) or requests token reissue;
- the user authenticates himself to Vault using token.
Unfortunately, this doesn't allow for fully automatic login to Vault, just slightly simplifies the process. The token would have to be copy-pasted from the browser into the console manually.
Another idea is to use SSH (not TLS) certificates somehow. If a user logs into a control node with SSH cert, I wonder is it possible for Vault to employ SSH authentication mechanism (using ssh-agent maybe) to authenticate the user? What do you think?
Cheers,
Rhino
OK, I've got the point. Unfortunately, we're not using EC2.
Regardless of what's ATM implemented in Vault and what's not, could we discuss some hypothetical models?
I remember one guy here once mentioned KeyCloak. We're using it in the infrastructure, and I'm myself a contributor to the KeyCloak project. From what I know, it shouldn't be that hard to integrate it with Vault (provided that app roles in Vault are capable of issuing tokens on their own). The workflow could look like the following:
- the user logs into KeyCloak and goes to account page;
- the user selects "Personal keys" tab and obtains Vault token from there (just like GitHub) or requests token reissue;
- the user authenticates himself to Vault using token.
Unfortunately, this doesn't allow for fully automatic login to Vault, just slightly simplifies the process. The token would have to be copy-pasted from the browser into the console manually.
Another idea is to use SSH (not TLS) certificates somehow. If a user logs into a control node with SSH cert, I wonder is it possible for Vault to employ SSH authentication mechanism (using ssh-agent maybe) to authenticate the user? What do you think?
Cheers,
Rhino
Vishal Nayak
Feb 16, 2017, 11:36:08 AM2/16/17
to vault...@googlegroups.com
Hi Rhinoceros,
I am not sure about KeyCloak yet but Vault acting as an SSH CA is
certainly on our radar https://github.com/hashicorp/vault/pull/2208.
Regards,
Vishal
> https://groups.google.com/d/msgid/vault-tool/eeaaf1b4-6617-48f4-99e2-e85d9ad76be0%40googlegroups.com.
I am not sure about KeyCloak yet but Vault acting as an SSH CA is
certainly on our radar https://github.com/hashicorp/vault/pull/2208.
Regards,
Vishal
Reply all
Reply to author
Forward
0 new messages