feat: add ssh host key signing

2024-05-25 16:46:13 +10:00 · 2024-05-25 16:46:13 +10:00 · 7aa7f33145
commit 7aa7f33145
parent a6a03b4d83
1 changed files with 37 additions and 0 deletions
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@ -84,3 +84,40 @@

 ## get the certmanager approle id
    vault read -field=role_id auth/approle/role/certmanager/role-id
+
+
+# SSH Hostkey Signing
+
+## create ssh engine, key, set ttl
+    vault secrets enable -path=ssh-host-signer ssh
+    vault write ssh-host-signer/config/ca generate_signing_key=true
+    vault secrets tune -max-lease-ttl=87600h ssh-host-signer
+
+## create role
+    vault write ssh-host-signer/roles/hostrole \
+        key_type=ca \
+        algorithm_signer=rsa-sha2-256 \
+        ttl=87600h \
+        allow_host_certificates=true \
+        allowed_domains="unkin.net" \
+        allow_subdomains=true \
+        allow_baredomains=true
+
+## create policy to use hostrole
+    cat <<EOF > sshsign-host.hcl
+    path "ssh-host-signer/sign/hostrole" {
+        capabilities = ["create", "update"]
+    }
+    EOF
+
+    vault policy write sshsign-host-policy sshsign-host.hcl
+
+    vault write auth/approle/role/sshsign-host-role \
+        bind_secret_id=false \
+        token_policies="sshsign-host-policy" \
+        token_ttl=30s \
+        token_max_ttl=30s \
+        token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
+
+## get the sshsign-host-role approle id
+    vault read -field=role_id auth/approle/role/sshsign-host-role/role-id