vault로 ssh 인증(ssh authentication) 관리
테스트 환경
| 호스트 이름 | 아이피 | 역할 | 운영체제 | 비고 |
| vault-server | 192.168.0.51 | vault server | ubuntu 22.04 | |
| node1 | 192.168.0.61 | ssh server | ubuntu 22.04 | |
| node2 | 192.168.0.62 | ssh client | centos 7 |
vault data 삭제
systemctl stop vaultrm -rf /opt/vaultmkdir -pv /opt/vault/datachown -R vault.vault /opt/vaultsystemctl start vaultsystemctl status vault
vault 구성
환경변수 설정
echo "export VAULT_ADDR=http://127.0.0.1:8200" >> ~/.bashrcecho "export VAULT_API_ADDR=http://127.0.0.1:8200" >> ~/.bashrcsource ~/.bashrcvault status볼트 초기화(Initialize Vault)
vault operator init -key-shares=1 -key-threshold=1vault operator init | tee vault-init-$(date +"%Y%m%d-%H%M%S").txtunseal 및 로그인
vault operator unseal {Unseal Key}
vault operator unseal 0BRc72TDumseBHlNDgHDTFA34Ph3Tqz0rNKUkNIW9dTQvault login {Initial Root Token}
vault login hvs.e7vFgS6NwWllLEMT9X000Aqx토큰(token)에 대한 정보 표시
vault token lookupseal 및 HA 상태 출력
vault statussyslog audit 활성
vault audit enable syslog[Vault Server]
vault secrets engine 활성화
vault secrets enable -path=ssh-client-signer ssh클라이언트 CA(인증 기관) 인증서 생
vault write ssh-client-signer/config/ca generate_signing_key=trueCA 공개 키 출력
vault read -field=public_key ssh-client-signer/config/carole 설정(my-role)
vault write ssh-client-signer/roles/my-role -<<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "*",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "linuxer",
"ttl": "30m0s"
}
EOHrole 정보 확인
vault read ssh-client-signer/roles/my-role
[Target : SSH Server]
각 호스트에 CA의 공개 키 추가
ssh(sshd) server 작업
trusted-user-ca-keys.pem(/etc/ssh/trusted-user-ca-keys.pem) 저장
curl -s http://192.168.0.51:8200/v1/ssh-client-signer/public_key -o /etc/ssh/trusted-user-ca-keys.pemcat /etc/ssh/trusted-user-ca-keys.pemssh(sshd) 설정(/etc/ssh/sshd_config)
echo 'TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem' >> /etc/ssh/sshd_configecho "PubkeyAcceptedKeyTypes=+ssh-rsa,ssh-rsa-cert-v01@openssh.com" >> /etc/ssh/sshd_configssh(sshd) 설정 확인
cat /etc/ssh/sshd_config | egrep 'TrustedUserCAKeys|PubkeyAcceptedKeyTypes'ssh(sshd) 재기동
sshd -tsystemctl restart sshd
[Client]
ssh client 작업
vault server 환경변수 설정
- VAULT_TOKEN = ssh client에서 생성한 token value 입력(require-ssh-sign token)
echo 'export VAULT_ADDR=http://192.168.0.51:8200' >> ~/.bashrcecho 'export VAULT_TOKEN="hvs.e7vFgS6NwWllLEMT9X000Aqx"' >> ~/.bashrcsource ~/.bashrcenv | grep VAULT클라이언트 SSH Authentication - ssh key 생성(계정 : linuxer)
ssh-keygen -t rsa -C "linuxer@vault"vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/signed-cert.pub(OR)
vault write ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub권한 설정
chmod 644 ~/.ssh/signed-cert.pub인증서 확인
cat ~/.ssh/signed-cert.pubssh-keygen -Lf ~/.ssh/signed-cert.pubssh client에서 ssh server로 접속 테스
ssh -i ~/.ssh/signed-cert.pub -i ~/.ssh/id_rsa linuxer@192.168.0.61
참고URL
- HashiCorp Vault를 이용한 SSH 공개키 인증: https://ikcoo.tistory.com/251
- Signed SSH Certificates : https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates
- client key signing : https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#client-key-signing
- host key signing : https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing
- 複雑なポリシーを適切に管理する、HashiCorp Vault SSH CA動的シークレットエンジンとSentinel : https://www.lac.co.jp/lacwatch/service/20200811_002237.html
- Managing Developer Access with Vault SSH: https://pacewisdom.com/blog/managing-developer-access-with-vault-ssh/
'리눅스' 카테고리의 다른 글
| [리눅스] consul cluster 구성 (0) | 2023.01.26 |
|---|---|
| [리눅스] consul 설치(install consul) (0) | 2023.01.26 |
| [리눅스] 파일 디스크립터(File Descriptor) 및 설정(ulimit) (0) | 2023.01.25 |
| [리눅스] docker nettools (0) | 2023.01.25 |
| [리눅스] centos에 hashicorp vault를 설치하는 방법(installing vault) (0) | 2023.01.25 |
