Skip to content

A utility for renewing SSH host certificates managed by HashiCorp Vault

License

Notifications You must be signed in to change notification settings

ngrewe/vault-ssh-renew

Folders and files

NameName
Last commit message
Last commit date

Latest commit

445dd02 · Jul 28, 2020

History

57 Commits
Jul 28, 2020
Jul 28, 2020
Jul 28, 2020
Jul 27, 2020
Jul 28, 2020
Jul 23, 2020
Jul 23, 2020
Jul 24, 2020
Jul 23, 2020
Jul 28, 2020
Jul 28, 2020
Jul 28, 2020
Jul 28, 2020
Jul 22, 2020
Jul 23, 2020
Jul 28, 2020
Jul 24, 2020

Repository files navigation

Vault SSH Renewal Tool

Build Status PyPI version Download

vault-ssh-renew automates the process of renewing SSH host certificates issued by HashiCorp Vault. It will check whether a certificate is installed on the host, and whether it expires in the near future. Only then will it request Vault to issue a new certificate.

Please note that vault-ssh-renew does not take care of renewing the Vault token itself or of re-configuring your SSH server software to actually present the certificate. Please refer to the Vault documentation on how to achieve this.

Installation

Pip

pip install vault-ssh-renew

Debian/Ubuntu Packages

On Debian Buster, Ubuntu 18.04, and 20.04, you can install vault-ssh-renew from packages:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv AF0E925C4504784BF4E0FFF0C90E4BD2B36E75B9
echo "deb https://dl.bintray.com/glaux/production $(lsb_release -s -c) main" | sudo tee -a /etc/apt/sources.list.d/vault-ssh-renew.list
sudo apt-get update
sudo apt-get install vault-ssh-renew

The package will also install a daily timer to run vault-ssh-renew. If you are installing interactively, you will also be asked supply all the required configuration parameters, which will be written to /etc/default/vault-ssh-renew and can be edited there.

Docker

You may also run the tool using a Docker container:

docker run -ti -v/etc/ssh:/etc/ssh \
    -e VAULT_TOKEN=**** \
    -e VAULT_ADDR=http://127.0.0.1:8200 \
    -e VAULT_SSH_SIGN_PATH=ssh/sign/host \
    glaux/vault-ssh-renew

For every release, there also exists a corresponding tag suffixed with .cron (e.g.: :latest.cron) that runs the tools as a periodic cron job.

Configuration

Configuration can be achieved using the following environment variables.

Variable Data Type Meaning Default
VAULT_ADDR URL Address under which Vault can be reached. http://127.0.0.1:8200
VAULT_TOKEN String Token for authentication against Vault.
VAULT_TOKEN_FILE String The path to read the Vault token from.
VAULT_SSH_HOST_KEY_PATH String The path to the SSH public key. /etc/ssh/ssh_host_rsa_key.pub
VAULT SSH_HOST_CERT_PATH String The path to the SSH host certificate. /etc/ssh/ssh_host_rsa_key-cert.pub
VAULT_SSH_SIGN_PATH String The path to the signing endpoint, usually ⟨secret mountpoint⟩/sign/⟨role name⟩.
VAULT_SSH_PRINCIPALS List of Strings A space separated list of principals to request in the certificate Host's FQDN
VAULT_SSH_RENEWAL_THRESHOLD_DAYS Integer When the certificate is valid for less then this many days, renew it. 7

Kubernetes Deployment

The directory kubernetes/ in the source distribution contains a set of resources that can serve as a template to deploy vault-ssh-renew across your Kubernetes cluster. You'll need to:

  • edit secret.yaml to supply your Vault token
  • add the correct Vault address and signing path to configmap.yaml
  • optionally change the version in daemonset.yaml to something other than latest
kubectl apply -f kubernetes/*.yaml

About

A utility for renewing SSH host certificates managed by HashiCorp Vault

Resources

License

Stars

Watchers

Forks

Packages

No packages published