Vault SSH Helper Error [unsupported scheme. use 'dev' mode]
871 views
Skip to first unread message
Wyatt Frelot
Sep 9, 2016, 12:23:36 PM9/9/16
to Vault
Good day all,
I am new to using Vault and I am just trying to understand capabilities and how to evaluate the various use cases.
The current use case I am evaluating is being able to authenticate from a remote host using I am attempting to set up a remote host to authenticate using the ssh backend (OTP).
I am getting the following error when Verifying Configuration:
2016/09/09 16:21:29 [ERROR]: unsupported scheme. use 'dev' mode
I have deployed Vault (No Dev Server) using Consul
I "believe" I followed the directions to configure both Vault and Vault SSH Helper in order to do this.
List of mounts:
Path Type Default TTL Max TTL Descr
cubbyhole/ cubbyhole n/a n/a per-tpki/ pki system 315360000 secret/ generic system system genressh/ ssh system system
Added the following to /etc/pam.d/sshd file:
#@include common-auth-->
auth requisite pam_exec.so quiet expose_authtok log=/log/vault/vaultssh.log /vault/vault-ssh-helper -con
fig=/etc/vault.d/vault_ssh.hcl
auth optional pam_unix.so not_set_pass use_first_pass nodelay
Vault Config:
backend "consul" { address = "X.X.X.X:8500" path = "vault"}listener "tcp" { address = "X.X.X.X:8200" tls_disable = 1}disable_mlock = true
Vault SSH Config:
vault_addr = "http://X.X.X.X:8200"ssh_mount_point = "ssh"tls_skip_verify = true
Once Consul(1 Master) and Vault is started in non dev modes, I would think there should not be any other issues.
cubbyhole/ cubbyhole n/a n/a per-tpki/ pki system 315360000 secret/ generic system system genressh/ ssh system system
Added the following to /etc/pam.d/sshd file:
#@include common-auth-->
auth requisite pam_exec.so quiet expose_authtok log=/log/vault/vaultssh.log /vault/vault-ssh-helper -con
fig=/etc/vault.d/vault_ssh.hcl
auth optional pam_unix.so not_set_pass use_first_pass nodelay
Vault Config:
backend "consul" { address = "X.X.X.X:8500" path = "vault"}listener "tcp" { address = "X.X.X.X:8200" tls_disable = 1}disable_mlock = true
Vault SSH Config:
vault_addr = "http://X.X.X.X:8200"ssh_mount_point = "ssh"tls_skip_verify = true
Once Consul(1 Master) and Vault is started in non dev modes, I would think there should not be any other issues.
Wyatt Frelot
Sep 9, 2016, 12:32:15 PM9/9/16
to Vault
Additionally, I think I found the code in vault-ssh-helper/main.go
} else if strings.HasPrefix(strings.ToLower(clientConfig.VaultAddr), "http://") {
Line 84-86:
} else if strings.HasPrefix(strings.ToLower(clientConfig.VaultAddr), "http://") {
return fmt.Errorf("unsupported scheme. use 'dev' mode")
}
If I am reading this correctly, it ensures that it only runs with tls engaged? I guess I could do that, but I was only testing to verify that it works.
Jeff Mitchell
Sep 12, 2016, 4:14:29 PM9/12/16
to vault...@googlegroups.com
Hi Wyatt,
Non-TLS connections are only supported if you run the helper in dev mode.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/64c58feb-79d5-4e02-97d1-56558ee0f784%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
Non-TLS connections are only supported if you run the helper in dev mode.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/64c58feb-79d5-4e02-97d1-56558ee0f784%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages