Hashicorp Vault SSH Secrets Engine: One-Time SSH Password

In this guide I will explain what Vault SSH Secrets engine is, how it works and how you can implement it.

The Vault SSH secrets engine provides secure authentication and authorization for access to machines via the SSH protocol. It supports signed SSH certificate and one-time SSH password modes. This tutorial demonstrates the one-time SSH password mode. This blog post will walk you through configuring SSH Secrets Engine to work on debian based systems.

Assumptions:

• Vault client is installed on the client machine
• Vault server is configured
• ssh-pass is installed on the client machine
• Vault client is able to authenticate with Vault Server

Steps:

1. From your local machine, once authenticated with vault server, mount the SSH Secret Engine path:

vault secrets enable ssh

2. Spin up a fresh server instance

3. SSH onto the instance and configure the following:

• Download and extract the vault-ssh-helper to /usr/loca/bin
• mkdir -p /etc/vault-ssh-helper.d/config.hcl :
• Test the config:

vault_addr = "$VAULT_ADDR"
ssh_mount_point = "ssh"
tls_skip_verify = false
allowed_roles = "*"

 vault-ssh-helper -verify-only -config=/etc/vault-ssh-helper.d/config.hcl

• Modify /etc/pamd.sshd
• Modify /etc/ssh/sshd_config:
• Finally create a test user:

#@include common-auth
auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -config=/et
auth optional pam_unix.so not_set_pass use_first_pass nodelay

ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication no

sudo useradd testuser

4. Configure vault SSH Engine:

• Create a role:
• Finally we can now ssh onto the new instance using Vaults SSH Helper:

vault write ssh/roles/otp_key_role key_type=otp default_user=testuser cidr_list=$INSTANCE_IP/32

vault ssh -role otp_key_role -mode otp testuser@$INSTANCE_IP