Automate signing SSH host- and client certificates for a more secure and scalable infrastructure.
🏭 Sign SSH host public keys
👨💻 Sign SSH user public keys
🔗 Read CA from a given Vault ssh mount
🛂 Authenticate against Vault using AppRole, (explicit) token or implicit auth
💻 Both your workstation's CLI and your servers up in the cloud are 1st class citizens
⏰ Automatically renews certificates based on its lifetime
🔭 Provides metrics to increase observability for robust automation
SSH client certificates make sense
- to avoid the chore of synchronizing
authorized_keys
files across servers - to avoid theft of public key pairs
SSH host certificates help prevent MitM attacks for clients that have not established trust yet for a server
Both client and host certificates allow for efficient scaling regarding the number of clients and servers.
vault-ssh-cli, leveraging its automation and observability capabilities, allows using SSH certificates while obeying security best practices such as short-lived certificates and timely re-generation.
Pre-compiled binaries can be found at the releases section. They are signed using a cryptographic signature made by signify using the following public key:
untrusted comment: signify public key
RWSFxNuvQMx07H1IC6sUxJvlsdtfDlY39EdoHMG/ZpivtOmp8sJ3DMEg
To verify the cryptographic signature, run
$ signify -V -p /path/to/downloaded/pubkey -m checksum.sha256
$ sha256sum -c checksum.sha256
$ go install github.com/soerenschneider/vault-ssh-cli@latest
vault-ssh-cli
is suited to be scheduled continuously by an external actor such as systemd or (Kubernetes) cron jobs and only renew a certificate after its expiration period has passed a certain threshold.
✅ Dumping metrics to disk to be picked up by Prometheus node_exporter
❌ Pushing metrics to Prometheus Pushgateway
All metrics are exposed using the prefix ssh_key_signer
Name | Type | Description |
---|---|---|
success_bool | Gauge | Whether the tool ran successful |
cert_expiry_seconds | Gauge | The date after the cert is not valid anymore |
cert_lifetime_seconds_total | Gauge | The total number of seconds this certificate is valid |
cert_lifetime_percent | Gauge | The passed lifetime of the certificate in percent |
run_timestamp_seconds | Gauge | The date after the cert is not valid anymore |
Vault needs to be configured with a SSH secret engine, see this TF module.
https://man.openbsd.org/sshd_config#HostCertificate
https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates#client-side-host-verification