fixup cert-manager and add SSH

README.md

@@ -353,30 +353,34 @@ service unifi start
 ### Revoke a certificate
 
 ```bash
-vault write pki_dnet_int/revoke serial_number=<serial_number>
+export PKI_PATH=dnet_inter
-vault write pki_dnet_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+
+vault write $PKI_PATH/revoke serial_number=<serial_number>
+vault write $PKI_PATH/tidy tidy_cert_store=true tidy_revoked_certs=true
 ```
 
 ### Use with cert-manager
 
 ```bash
-vault policy write pki_dnet_int - <<EOF
+export PKI_PATH=dnet_inter
-path "pki_dnet_int*"                        { capabilities = ["read", "list"] }
+
-path "pki_dnet_int/roles/*"   { capabilities = ["create", "update"] }
+vault policy write $PKI_PATH - <<EOF
-path "pki_dnet_int/sign/*"    { capabilities = ["create", "update"] }
+path "$PKI_PATH*"                        { capabilities = ["read", "list"] }
-path "pki_dnet_int/issue/*"   { capabilities = ["create"] }
+path "$PKI_PATH/roles/*"   { capabilities = ["create", "update"] }
+path "$PKI_PATH/sign/*"    { capabilities = ["create", "update"] }
+path "$PKI_PATH/issue/*"   { capabilities = ["create"] }
 EOF
 
 vault write auth/kubernetes/role/issuer \
     bound_service_account_names=issuer \
     bound_service_account_namespaces=cert-manager \
-    policies=pki_dnet_int \
+    policies=$PKI_PATH \
     ttl=20m
 
 kubectl -n cert-manager create serviceaccount issuer
 ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name")
 
-cat > cert-manager/vault-clusterissuer.yaml <<EOF
+kubectl -n cert-manager apply -f - <<EOF
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
@@ -384,7 +388,7 @@ metadata:
 spec:
   vault:
     server: https://vault.ducoterra.net
-    path: pki_dnet_int/sign/dnet
+    path: $PKI_PATH/sign/dnet
     auth:
       kubernetes:
         mountPath: /v1/auth/kubernetes
@@ -443,7 +447,7 @@ spec:
 ### Connect to external vault
 
 ```bash
-# On our other server
+# On the new server (pikube - vault)
 helm install vault hashicorp/vault \
     --set "injector.externalVaultAddr=https://vault.ducoterra.net"
 
@@ -454,6 +458,9 @@ KUBE_HOST="https://3.14.3.104:6443"
 ```
 
 ```bash
+# On the existing vault server
+
+export PKI_PATH=dnet_inter
 vault auth enable -path=pikube kubernetes
 
 vault write auth/pikube/config \
@@ -464,7 +471,7 @@ vault write auth/pikube/config \
 vault write auth/pikube/role/issuer \
     bound_service_account_names=issuer \
     bound_service_account_namespaces=cert-manager \
-    policies=pki_dnet_int \
+    policies=$PKI_PATH \
     ttl=20m
 ```
 
@@ -473,9 +480,10 @@ vault write auth/pikube/role/issuer \
 ```bash
 kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
 kubectl -n cert-manager create serviceaccount issuer
-ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name")
+export ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name")
+export PKI_PATH=dnet_inter
 
-cat > cert-manager/pikube-vault-clusterissuer.yaml <<EOF
+kubectl apply -f - <<EOF
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
@@ -483,7 +491,7 @@ metadata:
 spec:
   vault:
     server: https://vault.ducoterra.net
-    path: pki_dnet_int/sign/dnet
+    path: $PKI_PATH/sign/dnet
     auth:
       kubernetes:
         mountPath: /v1/auth/pikube
@@ -492,8 +500,6 @@ spec:
           name: $ISSUER_SECRET_REF
           key: token
 EOF
-
-kubectl apply -f cert-manager/pikube-vault-clusterissuer.yaml
 ```
 
 ## Auto-unseal
@@ -540,3 +546,170 @@ kubectl exec -it vault-0 -- vault operator init
 kubectl exec -ti vault-1 -- vault operator raft join http://vault-0.vault-internal:8200
 kubectl exec -ti vault-2 -- vault operator raft join http://vault-0.vault-internal:8200
 ```
+
+### SSH
+
+#### Client key signing
+
+Enable secrets engine and generate a key
+
+```bash
+vault secrets enable -path=ssh-client-signer ssh
+vault write ssh-client-signer/config/ca generate_signing_key=true
+```
+
+Retrieve the public CA (and add it to your /etc/ssh/trusted-user-ca-keys.pem) with
+
+```bash
+curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.ducoterra.net/v1/ssh-client-signer/public_key
+```
+
+Add it to your sshd_config
+
+```bash
+echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" >> /etc/ssh/sshd_config
+```
+
+Restart the SSH service
+
+```bash
+service ssh restart
+```
+
+Add signing role
+
+```bash
+vault write ssh-client-signer/roles/ducoterra -<<"EOH"
+{
+    "allow_user_certificates": true,
+    "allowed_users": "*",
+    "allowed_extensions": "permit-pty,permit-port-forwarding",
+    "default_extensions": [
+        { "permit-pty": "" }
+    ],
+    "key_type": "ca",
+    "default_user": "ducoterra",
+    "ttl": "30m0s"
+}
+EOH
+```
+
+```bash
+vault write ssh-client-signer/roles/pi -<<"EOH"
+{
+    "allow_user_certificates": true,
+    "allowed_users": "*",
+    "allowed_extensions": "permit-pty,permit-port-forwarding",
+    "default_extensions": [
+        { "permit-pty": "" }
+    ],
+    "key_type": "ca",
+    "default_user": "pi",
+    "ttl": "30m0s"
+}
+EOH
+```
+
+```bash
+vault write ssh-client-signer/roles/rancher -<<"EOH"
+{
+    "allow_user_certificates": true,
+    "allowed_users": "*",
+    "allowed_extensions": "permit-pty,permit-port-forwarding",
+    "default_extensions": [
+        { "permit-pty": "" }
+    ],
+    "key_type": "ca",
+    "default_user": "rancher",
+    "ttl": "30m0s"
+}
+EOH
+```
+
+Sign a key
+
+```bash
+export SSHUSER=pi; vault write -field=signed_key ssh-client-signer/sign/$SSHUSER public_key=@$HOME/.ssh/test_rsa.pub > ~/.ssh/test_rsa-cert.pub
+```
+
+SSH using the signed key
+
+```bash
+# If you saved the signed pub as key_name"-cert.pub" then you don't need to specify the signed-cert.pub part.
+ssh -i signed-cert.pub -i ~/.ssh/test_rsa client
+
+# or without the cert (using default client)
+ssh -i ~/.ssh/test_rsa client
+```
+
+#### Server Host Signing
+
+Enable secrets engine
+
+```bash
+vault secrets enable -path=ssh-host-signer ssh
+```
+
+Generate keys:
+
+```bash
+vault write ssh-host-signer/config/ca generate_signing_key=true
+```
+
+Extend host key's TTL
+
+```bash
+vault secrets tune -max-lease-ttl=87600h ssh-host-signer
+```
+
+Create host role
+
+```bash
+vault write ssh-host-signer/roles/hostrole \
+    key_type=ca \
+    ttl=87600h \
+    allow_host_certificates=true \
+    allowed_domains="localdomains,dnet,hole,ducoterra.net" \
+    allow_subdomains=true
+```
+
+Sign the host's public key
+
+```bash
+vault write ssh-host-signer/sign/hostrole \
+    cert_type=host \
+    public_key=@$HOME/.ssh/id_rsa.pub
+```
+
+Write the signed certificate to the ssh config on the host
+
+```bash
+vault write -field=signed_key ssh-host-signer/sign/hostrole \
+    cert_type=host \
+    public_key=@$HOME/.ssh/id_rsa.pub > /etc/ssh/ssh_host_rsa_key-cert.pub
+```
+
+Assign correct permissions
+
+```bash
+chmod 0640 /etc/ssh/ssh_host_rsa_key-cert.pub
+```
+
+Add to sshd_config
+
+```bash
+echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
+echo HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub >> /etc/ssh/sshd_config
+```
+
+Restart the ssh service
+
+```bash
+service ssh restart
+```
+
+Add certificate to client
+
+```bash
+echo '@cert-authority *.ducoterra.net '$(vault read -field=public_key ssh-host-signer/config/ca) >> ~/.ssh/known_hosts
+```