Generating SSH One-Time Passwords with Vault
Vault is an instrument for secrets management created by HashiCorp. The company also is known by tools like:
- Consul (service discovery)
- Nomad (cluster scheduler)
- Terraform (infrastructure provisioner)
- Vagrant (VM manager)
- Packer (OS images manager)
Vault is a very useful tool for managing different secret types like one-time passwords (OTP) for SSH, DB credentials, credentials for cloud services and other KV options. Looks like an analog of KeePass/LastPass and Google Authenticator PAM.
Vault (and other HashiCorp tools) is distributed by a single binary file, has great documentation and configuration pretty simple.
So, here I’ll tell you about SSH OTP and how to integrate it with Vault. It could be useful for cases when you want to avoid SSH keys management in favor of OTP.
Install and setup Vault
Download Vault for your OS, unzip the archive and run the server in development mode:
wget https://releases.hashicorp.com/vault/1.0.0-beta1/vault_1.0.0-beta1_linux_amd64.zip
unzip vault_1.0.0-beta1_linux_amd64.zip -d /usr/local/bin/
vault server -dev
Now you are running Vault Server. So easy, huh?
I already have a production Vault, it works on domain https://vault.yourdomain.org
. I provisioned my Vault configuration in AWS using Terraform and Packer.
Okay, let’s connect to Vault Server via the client, enable SSH Secret Engine and create a role for it with default user ubuntu
and allow all IP addresses:
# set Vault Server address
export VAULT_ADDR='https://vault.yourdomain.org'# create SSH Secret Engine
vault secrets enable ssh# create role for engine
vault write ssh/roles/otp_key_role \
key_type=otp \
default_user=ubuntu \
cidr_list=0.0.0.0/0
Install Vault SSH Helper
For connecting our nodes with Vault we need to install helper on all nodes which we want to connect.
Download and install Helper:
export VSH_VERSION=0.1.4
export SSHD_CONFIG_PATH=/etc/ssh/sshd_config
export PAMD_CONFIG_PATH=/etc/pam.d/sshdwget https://releases.hashicorp.com/vault-ssh-helper/${VSH_VERSION}/vault-ssh-helper_${VSH_VERSION}_linux_amd64.zip
unzip vault-ssh-helper_${VSH_VERSION}_linux_amd64.zip -d /usr/local/bin/
Configure Helper:
mkdir /etc/vault-helper.d/# generate config for helper
cat << EOF > /etc/vault-helper.d/config.hcl
vault_addr = "https://vault.yourdomain.org"
ssh_mount_point = "ssh"
tls_skip_verify = false
allowed_roles = "*"
allowed_cidr_list="0.0.0.0/0"
EOF
Configure PAM:
# disable common-auth
sed -i -e 's/^@include common-auth/#@include common-auth/g' ${PAMD_CONFIG_PATH}# allow Helper to use pam_exec
echo "auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -config=/etc/vault-helper.d/config.hcl" | tee -a ${PAMD_CONFIG_PATH}
echo "auth optional pam_unix.so not_set_pass use_first_pass nodelay" | tee -a ${PAMD_CONFIG_PATH}
Configure SSH:
# enable ChallengeResponseAuthentication
sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' ${SSHD_CONFIG_PATH}# allow to use PAM
sed -i -e 's/UsePAM no/UsePAM yes/g' ${SSHD_CONFIG_PATH}# disable password authentication
sed -i -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' ${SSHD_CONFIG_PATH}# restart SSH server
systemctl restart sshd
Use OTP
We finished our preparations and finally let’s generate OTP for server:
vault write ssh/creds/otp_key_role ip=192.168.10.12
Key Value
— — — — -
lease_id ssh/creds/otp_key_role/edc499e3-c100–405f-203b-c775d29c0233
lease_duration 192h
lease_renewable false
ip 192.168.10.12
key ce307d33–84d8–0794-f284-b8b3c8e43699
key_type otp
port 22
username ubuntu
Try to connect to our machine via this token:
ssh ubuntu@192.168.10.12
Password: ce307d33–84d8–0794-f284-b8b3c8e43699
You can also generate OTP via Vault UI:
HashiCorp also released cool new documentation for Vault and other tools. So don’t miss the latest updates on it.
Subscribe to FAUN topics and get your weekly curated email of the must-read tech stories, news, and tutorials 🗞️
Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬