sshv - a Hashicorp Vault-aware ssh wrapper

Submitted by Sean Wingert on Wed, 07/29/2020 - 15:15

For the last few months, I've been working on sshv, a Hashicorp Vault-aware ssh wrapper.

It looks like this:

Welcome to sshv

  Purpose: A vault-aware ssh client

    Usage: sshv [OPTIONS] destination [COMMAND]

  Example: sshv user1@sshserver
  Example: sshv user1@sshserver echo "hello world"
  Example: sshv user1@sshserver -- -p 1022 echo "hello world"
  Example: sshv user1@sshserver -- sudo tee -a /root/.ssh/authorized_keys <<< "ssh-rsa..."

Description
  sshv is a wrapper for ssh. It logs into vault, creates a local ssh keypair, sends
  the resulting public key to vault's CA (ssh secrets engine) for signing, receives
  the resulting certificate, and calls ssh with arguments to use the certificate
  against the user@server you specify.

Options:
  -d, --debug         Debug mode for sshv (i.e., enable bash's set -x)
  -f, --portforward   Deprecated June 2020: used to enable http://localhost:8080 and :8200.
  -h, --help          Display help
  -r, --remove        Remove sshv
  -s, --search        Search inventory. Example: sshv -s js1
  -u, --update        Update sshv, the latest hosts_ca cert, and latest inventory
  -c, --csv           Open a csv of the inventory
  -j, --json          Open a json version of the inventory
  -l, --links         Show links (URIs) to resources
  --                  Send e

My previous blog post has visuals, explaining how it works, but in short it is a Mac and Linux compatible executable, written in bash, that allows you to: 1. log into Vault via Active Directory 2. store the resulting vault token locally 3. automatically create and send a Certificate Signing Request (CSR) to Vault, configured as a CA 4. automatically obtain an ssh (not x509) certificate and present it to your SSH server

The advantages are that you do NOT need to use ssh keys that never expire. You also don't need to fiddle with creating CSRs, ssh keys, or getting and managing certificates.

I've also integrated sshv with our inventory across 3 APIs (VMWare, IBM Cloud Classic, and IBM VPC) by writing custom "dynamic inventory" modules for Ansible that Jenkins runs every 12 hours. This allows users to search the inventory by IP (or partial IP), hostname, VPC name, Customer Environment Name, presence in an compliance database, and more.

Add new comment

More information about text formats

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.