Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

The demo for this talk includes an enterprise versions of Vault and Consul using Terraform Enterprise (https://app.terraform.io) to setup all the infrastructure. More specifically, the following explains the setup:

Terraform Enterprise is used to spin up the Vault/Consul clusters
3 node Vault Enterprise cluster with a 3 node Consul Enterprise cluster
Vault is publicly accessible via AWS load balancer endpoint
Consul is only accessible to Vault
Script is used to setup the Vault SSH Secrets Engine and associated roles
Terraform Enterprise is used to spin up the SSH clients in 2 separate workspaces

The Terraform workspace used to build the Vault/Consul cluster is located at: https://github.com/errygg/vault-guides/tree/master/operations/provision-vault/quick-start/terraform-aws.

Note: This demo was performed using Terraform Enterprise; however, the same demo can be accomplished using Terraform OSS using the terraform command in place of the UI.

Note: This demo uses configuration for Vault SSH found here: https://www.vaultproject.io/api/secret/ssh/index.html

Spin up and Configure Vault

Run the terraform workspace to spin up the Vault/Consul cluster
Configure Vault via UI - 1 key share, 1 threshold
Download the keys & unseal with the master key
Run terraform to configure Vault SSH backend and users

  > cd ./scripts
  > . ./vault_env.sh <Vault URL> <JSON file downloaded from unsealing Vault>
  > ./configure_vault.sh

OTP Client Admin Configuration

Spin up the OTP client via Terraform Enterprise
Create the OTP role for the vampire users as the root user

  > . ./scripts/vault_env.sh <VAULT_ADDR> <credentials json file>
  > vault write ssh/roles/vampires key_type=otp default_user=bob cidr_list="<IP address of OTP instance>/32"

Login with Bob the Vampire

Authenticate with Vault as Bob

  > export VAULT_TOKEN=`vault login -token-only -method=userpass username=bob`

Get the OTP for the client

  > vault ssh -role=vampires -mode=otp -strict-host-key-checking=no [email protected]<IP address of OTP instance>

SSH into the client

  > ssh [email protected]<IP address of OTP instance>

Enter the password from the key field in the write response from step 3.

cat out the PAM and ssh configs

  > cat /etc/pam.d/sshd
  > cat /etc/ssh/sshd_config

Exit out and try the password again and we'll see you can't login. OTP FTW!

CA Client Admin Configuration

Spin up the CA client via Terraform Enterprise

Login with Suzy

Authenticate with Vault

  > export VAULT_NAMESPACE=zombies
  > export VAULT_TOKEN=`vault login -token-only -method=userpass username=suzy`

Public key is accessible via the /public_key endpoint

  > curl http://<VAULT_ADDR>/v1/ssh/public_key

Test that we can't actually ssh to the node as Suzy

  > ssh [email protected]<IP address of CA instance>

Sign the local ssh key, putting it next to the default key allows a simpler ssh command

  > vault write -field=signed_key ssh/sign/zombies public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub
  > chmod 600 ~/.ssh/id_rsa-cert.pub

SSH into the instance with our new signed key

  > ssh [email protected]<IP address of CA instance>

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 23

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗