본문 바로가기

리눅스

[리눅스] vault로 ssh 인증(ssh authentication) 관리

728x90

vault로 ssh 인증(ssh authentication) 관리

테스트 환경

호스트 이름 아이피 역할 운영체제 비고
vault-server 192.168.0.51 vault server ubuntu 22.04  
node1 192.168.0.61 ssh server ubuntu 22.04  
node2 192.168.0.62 ssh client centos 7  

출처-https://www.pacewisdom.com/blog/wp-content/uploads/2020/12/VaultImage.png

 

vault data 삭제

systemctl stop vault
rm -rf /opt/vault
mkdir -pv /opt/vault/data
chown -R vault.vault /opt/vault
systemctl start vault
systemctl status vault

 

vault 구성

환경변수 설정

echo "export VAULT_ADDR=http://127.0.0.1:8200" >> ~/.bashrc
echo "export VAULT_API_ADDR=http://127.0.0.1:8200" >> ~/.bashrc
source ~/.bashrc
vault status

볼트 초기화(Initialize Vault)

vault operator init -key-shares=1 -key-threshold=1
vault operator init | tee vault-init-$(date +"%Y%m%d-%H%M%S").txt

unseal 및 로그인

vault operator unseal {Unseal Key}

vault operator unseal 0BRc72TDumseBHlNDgHDTFA34Ph3Tqz0rNKUkNIW9dTQ

vault login {Initial Root Token}

vault login hvs.e7vFgS6NwWllLEMT9X000Aqx

토큰(token)에 대한 정보 표시

vault token lookup

seal 및 HA 상태 출력

vault status

syslog audit 활성

vault audit enable syslog

[Vault Server]

vault secrets engine 활성화

vault secrets enable -path=ssh-client-signer ssh

클라이언트 CA(인증 기관) 인증서 생

vault write ssh-client-signer/config/ca generate_signing_key=true

CA 공개 키 출력

vault read -field=public_key ssh-client-signer/config/ca

role 설정(my-role)

vault write ssh-client-signer/roles/my-role -<<"EOH"
{
  "allow_user_certificates": true,
  "allowed_users": "*",
  "default_extensions": [
    {
      "permit-pty": ""
    }
  ],
  "key_type": "ca",
  "default_user": "linuxer",
  "ttl": "30m0s"
}
EOH

role 정보 확인

vault read ssh-client-signer/roles/my-role

 

[Target : SSH Server]

각 호스트에 CA의 공개 키 추가

ssh(sshd) server 작업

trusted-user-ca-keys.pem(/etc/ssh/trusted-user-ca-keys.pem) 저장

curl -s http://192.168.0.51:8200/v1/ssh-client-signer/public_key -o /etc/ssh/trusted-user-ca-keys.pem
cat /etc/ssh/trusted-user-ca-keys.pem

ssh(sshd) 설정(/etc/ssh/sshd_config)

echo 'TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem' >> /etc/ssh/sshd_config
echo "PubkeyAcceptedKeyTypes=+ssh-rsa,ssh-rsa-cert-v01@openssh.com" >> /etc/ssh/sshd_config

ssh(sshd) 설정 확인

cat /etc/ssh/sshd_config | egrep 'TrustedUserCAKeys|PubkeyAcceptedKeyTypes'

ssh(sshd) 재기동

sshd -t
systemctl restart sshd

 

[Client]

ssh client 작업

vault server 환경변수 설정

- VAULT_TOKEN = ssh client에서 생성한 token value 입력(require-ssh-sign token)

echo 'export VAULT_ADDR=http://192.168.0.51:8200' >> ~/.bashrc
echo 'export VAULT_TOKEN="hvs.e7vFgS6NwWllLEMT9X000Aqx"' >> ~/.bashrc
source ~/.bashrc
env | grep VAULT

클라이언트 SSH Authentication - ssh key 생성(계정 : linuxer)

ssh-keygen -t rsa -C "linuxer@vault"
vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/signed-cert.pub

(OR)

vault write ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub

권한 설정

chmod 644 ~/.ssh/signed-cert.pub

인증서 확인

cat ~/.ssh/signed-cert.pub
ssh-keygen -Lf ~/.ssh/signed-cert.pub

ssh client에서 ssh server로 접속 테스

ssh -i ~/.ssh/signed-cert.pub -i ~/.ssh/id_rsa linuxer@192.168.0.61

 

참고URL

- HashiCorp Vault를 이용한 SSH 공개키 인증: https://ikcoo.tistory.com/251

- Signed SSH Certificates : https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates

- client key signing : https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#client-key-signing

- host key signing : https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing

- 複雑なポリシーを適切に管理する、HashiCorp Vault SSH CA動的シークレットエンジンとSentinel : https://www.lac.co.jp/lacwatch/service/20200811_002237.html

- Managing Developer Access with Vault SSH: https://pacewisdom.com/blog/managing-developer-access-with-vault-ssh/

 

728x90