Vault Password Rotation - Linux LDAP Client
193 views
Skip to first unread message
Dan Crisp
Mar 26, 2019, 11:10:38 AM3/26/19
to Vault
Hi,
We've just started showing some interest in Vault and whether is suitable for our environment and needs. We think the immediate quick win would be use Vault for password rotation for the root user on all our Linux servers. We currently have nothing like that in place and in some cases, the root password hasn't changed since implementation. Having read what's involved and what's required to be in place and what changes are needed, we have a concern associated with the PAM and SSH aspects and whether the pertinent changes would clash with configuration that is already present. We use an LDAP solution to authenticate to all our Linux servers and certain PAM and SSH configuration must be present in order to successfully authenticate. By merging what's mandatory for the Vault Helper, will this inadvertently knock out our current PAM and SSH configuration and prevent us from authenticating to our servers?
Thanks,
Dan.
Becca Petrin
Mar 26, 2019, 7:27:27 PM3/26/19
to Vault
Hi Dan,
It's hard to say offhand. What LDAP solution do you use?
-Becca
Dan Crisp
Mar 27, 2019, 4:22:02 PM3/27/19
to Vault
Hello Becca,
Thanks for the reply. We use OpenDJ. Very similar to OpenDS and Oracle Directory Server.
Dan.
Becca Petrin
Mar 28, 2019, 12:19:48 PM3/28/19
to Vault
Hi Dan,
Thanks for sharing that. Ah, I see you're probably referring to this: https://github.com/hashicorp/vault-ssh-helper. Had you already seen its README? If not, does it answer any of your questions?
Thanks,
Becca
Dan Crisp
Mar 28, 2019, 6:02:53 PM3/28/19
to vault...@googlegroups.com
Thanks again for the reply Becca. I had already seen the README and that's what prompted me to start posting in this group. Sorry, I should of mentioned before the extent of my research. I'm starting to get the impression, that the Vault OTP theory is probably more suitable for situations where no regular users are present on a server and a situation may arise, whereby an engineer for example needs access to perform some troubleshooting etc. for a period of time. Our need is kind of the reverse whereby we have and need regular users associated (served via LDAP) with all our servers however occasionally, a third party contractor requires access and we have up till now, always manually added account where necessary. We was hoping that but using Vault, we could avoid that process going forward.
Thanks,
Dan.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1f864bf5-6654-45b8-89db-e11202603725%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nathan Hruby
Mar 28, 2019, 6:55:12 PM3/28/19
to vault...@googlegroups.com
Hi Dan,
It sounds like the "dynamic secrets" process and scripts discussed here:
would be useful to your situation.
https://github.com/hashicorp/vault/issues/1087 also might be of interest to enable an LDAP solution of short term ephemeral creds.
Lastly, I haven't tried this but you might be able to use sshd's ForceCommand config or a ssh key command= option to specifically call a wrapper script that calls the vault-ssh-helper util and spawns a shell on success. This would require setup on a long running shared user account but still allow you to use the "one timeyness" offered by OTP with no/low system config changes.
HTH,
-n
ps.. In a non-vault way, assuming you're using the ldap patch on a modern openssh to store pubkeys in ldap and contractors have no access to update ldap, you could generate a key for a contractor on a shared user, give them the private side, and have the public side in ldap expire using the expiry-time= option. See the AUTHORIZED_KEYS FILE FORMAT section in sshd(8) for info.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CACeXG5qQT_CnV4Mb0Eva6g_wH2%2BdEW-bxNqr5%3DsQ7L2K8Wb_rw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages