hashicorp/vault-ssh-helper hashicorp/vault-ssh-helper

  • Stars
    star
    404
  • Rank 102,884 (Top 3 %)
  • Language
    Go
  • License
    Mozilla Public Li...
  • Created almost 9 years ago
  • Updated 7 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hashicorp/vault-ssh-helper
github

hashicorp

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Vault SSH Agent is used to enable one time keys and passwords

vault-ssh-helperBuild Status

Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at [email protected].

vault-ssh-helper is a counterpart to HashiCorp Vault's SSH backend. It allows a machine to consume One-Time-Passwords (OTP) created by Vault servers by allowing them to be used as client authentication credentials at SSH connection time.

All of the remote hosts that belong to the SSH backend's OTP-type roles will need this helper installed. In addition, each host must have its SSH configuration changed to enable keyboard-interactive authentication and redirect its client authentication responsibility to vault-ssh-helper.

Vault-authenticated users contact the Vault server and retrieve an OTP issued for a specific username and IP address. While establishing an SSH connection to the host, the vault-ssh-helper binary reads the OTP from the password prompt and sends it to the Vault server for verification. Client authentication is successful (and the SSH connection allowed) only if the Vault server verifies the OTP. True to its name, once the OTP has been used a single time for authentication, it is removed from Vault and cannot be used again.

vault-ssh-helper is not a PAM module, but it does the job of one. vault-ssh-helper's binary is run as an external command using pam_exec.so with access to the entered password (in this case, the issued OTP). Successful execution and exit of this command is a PAM 'requisite' for authentication to be successful. If the OTP is not validated, the binary exits with a non-zero status and authentication fails.

PAM modules are generally shared object files; rather than writing and maintaining a PAM module in C, vault-ssh-helper is written in Go and invoked as an external binary. This allows vault-ssh-helper to be contained within one code base with known, testable behavior. It also allows other authentication systems that are not PAM-based to invoke vault-ssh-helper and take advantage of its capabilities.

Usage

vault-ssh-helper [options]

Options

Option Description
verify-only Verifies that vault-ssh-helper is installed correctly and is able to communicate with Vault.
config The path to the configuration file. Configuration options are detailed below.
dev vault-ssh-helper communicates with Vault with TLS disabled. This is NOT recommended for production use. Use with caution.
log-level Level of logs to output. Defaults to info. Supported values are off, trace, debug, info, warn, and error.

Download vault-ssh-helper

Download the latest version of vault-ssh-helper at releases.hashicorp.com.

Build and Install

You'll first need Go installed on your machine (version 1.8+ is required).

Install Go on your machine and set GOPATH accordingly. Clone this repository into $GOPATH/src/github.com/hashicorp/vault-ssh-helper. Install all of the dependent binaries like godep, gox, vet, etc. by bootstrapping the environment:

$ make updatedeps

Build and install vault-ssh-helper:

$ make
$ make install

Follow the instructions below to modify your SSH server configuration, PAM configuration and vault-ssh-helper configuration. Check if vault-ssh-helper is installed and configured correctly and also is able to communicate with Vault server properly. Before verifying vault-ssh-helper, make sure that the Vault server is up and running and it has mounted the SSH backend. Also, make sure that the mount path of the SSH backend is properly updated in vault-ssh-helper's config file:

$ vault-ssh-helper -verify-only -config=<path-to-config-file>
Using SSH Mount point: ssh
vault-ssh-helper verification successful!

If you intend to contribute to this project, compile a development version of vault-ssh-helper using make dev. This will put the binary in the bin and $GOPATH/bin folders.

$ make dev

If you're developing a specific package, you can run tests for just that package by specifying the TEST variable. For example below, only helper package tests will be run.

$ make test TEST=./helper
...

If you intend to cross compile the binary, run make bin.

vault-ssh-helper Configuration

[Note]: This configuration is applicable for Ubuntu 14.04. SSH/PAM configurations differ with each platform and distribution.

vault-ssh-helper's configuration is written in HashiCorp Configuration Language (HCL). By proxy, this means that vault-ssh-helper's configuration is JSON-compatible. For more information, please see the HCL Specification.

Properties

Property Description
vault_addr [Required] Address of the Vault server.
ssh_mount_point [Required] Mount point of SSH backend in Vault server.
namespace Namespace of the SSH mount. (Vault Enterprise only)
ca_cert Path of a PEM-encoded CA certificate file used to verify the Vault server's TLS certificate. -dev mode ignores this value.
ca_path Path to directory of PEM-encoded CA certificate files used to verify the Vault server's TLS certiciate. -dev mode ignores this value.
tls_skip_verify Skip TLS certificate verification. Use with caution.
allowed_roles List of comma-separated Vault SSH roles. The OTP verification response from the server will contain the name of the role against which the OTP was issued. Specify which roles are allowed to login using this configuration. Set this to * to allow any role to perform a login.
allowed_cidr_list List of comma-separated CIDR blocks. If the IP used by the user to connect to the host is different than the address(es) of the host's network interface(s) (for instance, if the address is NAT-ed), then vault-ssh-helper cannot authenticate the IP. In these cases, the IP returned by Vault will be matched with the CIDR blocks in this list. If it matches, the authentication succeeds. (Use with caution)

Sample config.hcl:

vault_addr = "https://vault.example.com:8200"
ssh_mount_point = "ssh"
namespace = "my_namespace"
ca_cert = "/etc/vault-ssh-helper.d/vault.crt"
tls_skip_verify = false
allowed_roles = "*"

PAM Configuration

Modify the /etc/pam.d/sshd file as follows; each option will be explained below.

#@include common-auth
auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -config=/etc/vault-ssh-helper.d/config.hcl
auth optional pam_unix.so not_set_pass use_first_pass nodelay

First, the previous authentication mechanism common-auth, which is the standard Linux authentication module, is commented out, in favor of using our custom configuration.

Next the authentication configuration for vault-ssh-helper is set.

Keyword Description
auth PAM type that the configuration applies to.
requisite If the external command fails, the authentication should fail.
pam_exec.so PAM module that runs an external command (vault-ssh-helper).
quiet Suppress the exit status of vault-ssh-helper from being displayed.
expose_authtok Binary can read the password from stdin.
log Path to vault-ssh-helper's log file.
vault-ssh-helper Absolute path to vault-ssh-helper's binary.
config The path to vault-ssh-helper's config file.

The third line works around a bug between some versions of pam_exec.so and vault-ssh-helper that causes a successful authentication from vault-ssh-helper to fail due to some resources not being properly released. Because it is marked as optional, it is essentially a no-op that ensures that PAM cleans up successfully, avoiding the bug.

Option Description
auth PAM type that the configuration applies to.
optional If the module fails, authentication does not fail (but if the OTP was invalid, we will have already failed previously).
pam_unix.so Linux's standard authentication module.
not_set_pass Module should not be allowed to set or modify passwords.
use_first_pass Do not display password prompt again. Use the password from the previous module.
nodelay Avoids the induced delay after entering a wrong password.

SSHD Configuration

Modify the /etc/ssh/sshd_config file. Note that for many distributions these are the default options; you may not need to set them explicitly but should verify their values if not.

ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication no
Option Description
ChallengeResponseAuthentication yes [Required] Enable challenge response (keyboard-interactive) authentication.
UsePAM yes [Required] Enable PAM authentication modules.
PasswordAuthentication no Disable password authentication.

More Repositories

1

terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Go
40,845
star
2

vault

A tool for secrets management, encryption as a service, and privileged access management
Go
29,344
star
3

consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
Go
27,763
star
4

vagrant

Vagrant is a tool for building and distributing development environments.
Ruby
25,729
star
5

packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
Go
14,818
star
6

nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
Go
14,315
star
7

terraform-provider-aws

Terraform AWS provider
Go
9,438
star
8

raft

Golang implementation of the Raft consensus protocol
Go
7,383
star
9

serf

Service orchestration and management tool.
Go
5,692
star
10

go-plugin

Golang plugin system over RPC.
Go
4,874
star
11

hcl

HCL is the HashiCorp configuration language.
Go
4,827
star
12

waypoint

A tool to build, deploy, and release any application on any platform.
Go
4,789
star
13

terraform-cdk

Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform
TypeScript
4,701
star
14

consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
Go
4,682
star
15

terraform-provider-azurerm

Terraform provider for Azure Resource Manager
Go
4,347
star
16

otto

Development and deployment made easy.
HTML
4,282
star
17

golang-lru

Golang LRU cache
Go
4,015
star
18

boundary

Boundary enables identity-based access management for dynamic infrastructure.
Go
3,762
star
19

memberlist

Golang package for gossip based membership and failure detection
Go
3,303
star
20

go-memdb

Golang in-memory database built on immutable radix trees
Go
2,937
star
21

next-mdx-remote

Load mdx content from anywhere through getStaticProps in next.js
TypeScript
2,245
star
22

terraform-provider-google

Terraform Google Cloud Platform provider
Go
2,213
star
23

go-multierror

A Go (golang) package for representing a list of errors as a single error.
Go
2,029
star
24

yamux

Golang connection multiplexing library
Go
2,003
star
25

envconsul

Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.
Go
1,967
star
26

go-retryablehttp

Retryable HTTP client in Go
Go
1,702
star
27

go-getter

Package for downloading things from a string URL using a variety of protocols.
Go
1,541
star
28

terraform-provider-kubernetes

Terraform Kubernetes provider
Go
1,538
star
29

best-practices

HCL
1,490
star
30

go-version

A Go (golang) library for parsing and verifying versions and version constraints.
Go
1,459
star
31

go-metrics

A Golang library for exporting performance and runtime metrics to external metrics systems (i.e. statsite, statsd)
Go
1,404
star
32

terraform-guides

Example usage of HashiCorp Terraform
HCL
1,324
star
33

setup-terraform

Sets up Terraform CLI in your GitHub Actions workflow.
JavaScript
1,238
star
34

mdns

Simple mDNS client/server library in Golang
Go
1,020
star
35

vault-guides

Example usage of HashiCorp Vault secrets management
Shell
990
star
36

terraform-provider-helm

Terraform Helm provider
Go
976
star
37

go-immutable-radix

An immutable radix tree implementation in Golang
Go
926
star
38

vault-helm

Helm chart to install Vault and other associated components.
Shell
904
star
39

terraform-ls

Terraform Language Server
Go
896
star
40

vscode-terraform

HashiCorp Terraform VSCode extension
TypeScript
870
star
41

levant

An open source templating and deployment tool for HashiCorp Nomad jobs
Go
822
star
42

vault-k8s

First-class support for Vault and Kubernetes.
Go
697
star
43

terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer
HCL
653
star
44

terraform-github-actions

Terraform GitHub Actions
Shell
618
star
45

terraform-exec

Terraform CLI commands via Go.
Go
608
star
46

terraform-provider-vsphere

Terraform Provider for VMware vSphere
Go
601
star
47

consul-k8s

First-class support for Consul Service Mesh on Kubernetes
Go
599
star
48

raft-boltdb

Raft backend implementation using BoltDB
Go
585
star
49

nextjs-bundle-analysis

A github action that provides detailed bundle analysis on PRs for next.js apps
JavaScript
539
star
50

go-discover

Discover nodes in cloud environments
Go
537
star
51

consul-replicate

Consul cross-DC KV replication daemon.
Go
504
star
52

next-mdx-enhanced

A Next.js plugin that enables MDX pages, layouts, and front matter
JavaScript
496
star
53

terraform-provider-kubernetes-alpha

A Terraform provider for Kubernetes that uses dynamic resource types and server-side apply. Supports all Kubernetes resources.
Go
493
star
54

docker-vault

Official Docker images for Vault
Shell
492
star
55

terraform-k8s

Terraform Cloud Operator for Kubernetes
Go
449
star
56

puppet-bootstrap

A collection of single-file scripts to bootstrap your machines with Puppet.
Shell
444
star
57

terraform-provider-vault

Terraform Vault provider
Go
431
star
58

cap

A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP
Go
426
star
59

consul-helm

Helm chart to install Consul and other associated components.
Shell
422
star
60

nomad-autoscaler

Nomad Autoscaler brings autoscaling to your Nomad workloads.
Go
411
star
61

damon

A terminal UI (TUI) for HashiCorp Nomad
Go
405
star
62

terraform-provider-azuread

Terraform provider for Azure Active Directory
Go
404
star
63

terraform-provider-scaffolding

Quick start repository for creating a Terraform provider
Go
402
star
64

docker-consul

Official Docker images for Consul.
Dockerfile
399
star
65

vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
Go
398
star
66

terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer
HCL
397
star
67

vault-action

A GitHub Action that simplifies using HashiCorp Vaultâ„¢ secrets as build variables.
JavaScript
391
star
68

terraform-plugin-sdk

Terraform Plugin SDK enables building plugins (providers) to manage any service providers or custom in-house solutions
Go
383
star
69

hil

HIL is a small embedded language for string interpolations.
Go
382
star
70

nomad-pack

Go
377
star
71

hcl2

Former temporary home for experimental new version of HCL
Go
375
star
72

errwrap

Errwrap is a Go (golang) library for wrapping and querying errors.
Go
373
star
73

learn-terraform-provision-eks-cluster

HCL
364
star
74

go-cleanhttp

Go
359
star
75

design-system

Helios Design System
TypeScript
358
star
76

logutils

Utilities for slightly better logging in Go (Golang).
Go
356
star
77

vault-ruby

The official Ruby client for HashiCorp's Vault
Ruby
336
star
78

vault-rails

A Rails plugin for easily integrating Vault secrets
Ruby
334
star
79

waypoint-examples

Example Apps that can be deployed with Waypoint
PHP
326
star
80

next-remote-watch

Decorated local server for next.js that enables reloads from remote data changes
JavaScript
325
star
81

go-hclog

A common logging package for HashiCorp tools
Go
307
star
82

terraform-config-inspect

A helper library for shallow inspection of Terraform configurations
Go
293
star
83

consul-haproxy

Consul HAProxy connector for real-time configuration
Go
279
star
84

nomad-guides

Example usage of HashiCorp Nomad
HCL
275
star
85

consul-esm

External service monitoring for Consul
Go
260
star
86

http-echo

A tiny go web server that echos what you start it with!
Makefile
257
star
87

vault-csi-provider

HashiCorp Vault Provider for Secret Store CSI Driver
Go
253
star
88

terraform-aws-nomad

A Terraform Module for how to run Nomad on AWS using Terraform and Packer
HCL
253
star
89

faas-nomad

OpenFaaS plugin for Nomad
Go
252
star
90

terraform-provider-google-beta

Terraform Google Cloud Platform Beta provider
Go
251
star
91

go-sockaddr

IP Address/UNIX Socket convenience functions for Go
Go
250
star
92

terraform-foundational-policies-library

Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. This repository contains a library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform.
HCL
233
star
93

vagrant-vmware-desktop

Official provider for VMware desktop products: Fusion, Player, and Workstation.
Go
225
star
94

nomad-driver-podman

A nomad task driver plugin for sandboxing workloads in podman containers
Go
219
star
95

go-tfe

Terraform Cloud/Enterprise API Client/SDK in Golang
Go
217
star
96

terraform-provider-awscc

Terraform AWS Cloud Control provider
HCL
213
star
97

boundary-reference-architecture

Example reference architecture for a high availability Boundary deployment on AWS.
HCL
206
star
98

nomad-pack-community-registry

A repo for Packs written and maintained by Nomad community members
HCL
205
star
99

terraform-plugin-framework

A next-generation framework for building Terraform providers.
Go
204
star
100

vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
Go
192
star