How to do port forwarding with vault ssh

[ma...@actyx.io]

Hello all,

We are starting to use Vault SSH OTP to access all of our servers. However, we have a problem. We use port forwarding quite a bit, but there seems no way to do it with vault ssh. Doing vault ssh -L says the -L option is not defined, and trying to enter SSH command mode (via <Enter>~C) just seems to hang the SSH session. Adding a LocalForward section to the Host section for the appropriate host in $HOME/.ssh/config does not work either.

The only thing I've found to work is to use SSH connection sharing via the ControlMaster setting in $HOME/.ssh/config, open a normal vault ssh connection, and then open another ssh session in the terminal. However, that is quite annoying.

Any ideas?

Thanks,

-Mario.

[Jeff Mitchell]

Hi Mario,

What `vault ssh` does is simply make the call to Vault to get an OTP and then open an SSH session for you. You may have to make a tiny custom script (should be pretty trivial with using -format=json with the Vault CLI and some slicing and dicing with jq) that pulls the OTP out of the Vault response and then uses it with a normal ssh command.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e2098ac9-6b3e-4f0b-845c-31ca8606ddb5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.