Project description

VaultSSH

CLI tool for signing SSH public keys using the Vault SSH endpoint

VaultSSH is a simple command line tool written in Python which automates the process of signing SSH public keys using the Hashicorp Vault SSH backend. In environments which have configured Vault as a trusted CA and use it to issue signed keys for authenticating against SSH servers, this tool provides a simple wrapper which handles all the backend communication and produces a signed public key ready for the end-user to authenticate with.

This tool assumes that your Vault environment has been properly configured for signing SSH keys. Hashicorp provides extensive documentation along with examples on how to perform this configuration in their docs.

Installation

pip install vaultssh

Usage example

VaultSSH takes two arguments: a path to the public SSH key to sign and the Vault role that should be used to sign it. Please refer to the Vault documentation to learn more about configuring SSH key signing.

$ vaultssh ~/.ssh/id_rsa.pub myrole

VaultSSH will automatically detect if you had previously authenticated with the Vault server by looking for an existing token in the default Vault environment variable (VAULT_TOKEN) or Vault token file (~/.vault-token). You can override this behavior and provide your own token by passing the --token flag. If a token is not found, or has expired, the tool will prompt you to authenticate with the Vault backend to fetch a new token (Note: only RADIUS is currently supported). By default the tool will persist the newly acquired token in the Vault token file, however this can be disabled by passing the --no-persist flag.

VaultSSH will automatically detect the location of the Vault server by using the default Vault environment variable (VAULT_ADDR). You can override this behavior by passing the --server flag.

$ vaultssh --server https://myvault.com:8200 ~/.ssh/id_rsa.pub myrole

If the signing process succeeds, VaultSSH will automatically write the signed certificate to the same directory as the given public key:

$ vaultssh ~/.ssh/id_rsa.pub myrole
Signed key saved to /home/josh/.ssh/id_rsa-cert.pub

Development setup

This project was developed using Pipenv as the virtual environment wrapper. To install all dependencies, run the following command at the root of the project:

pipenv install --dev

Release History

0.1.0
- Initial prototype

Contributing

Fork it (https://github.com/jmgilman/vaultssh/fork)
Create your feature branch (git checkout -b feature/fooBar)
Commit your changes (git commit -am 'Add some fooBar')
Push to the branch (git push origin feature/fooBar)
Create a new Pull Request

Project details

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

1.0.0

Jan 31, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vaultssh-1.0.0.tar.gz (5.7 kB view hashes)

Uploaded Jan 31, 2020 Source

Built Distribution

vaultssh-1.0.0-py3-none-any.whl (6.9 kB view hashes)

Uploaded Jan 31, 2020 Python 3

Hashes for vaultssh-1.0.0.tar.gz

Hashes for vaultssh-1.0.0.tar.gz
Algorithm	Hash digest
SHA256	`5165c91dcd761a199163c133f52d37fa7d364ba25574c74313a38c1a5abec6b6`
MD5	`0ee9a462677d6d2fa71feb54d22b42fa`
BLAKE2b-256	`56b194964ee6d475c6a671af22d00948c60b14c911a6f99a97066669d05be9b0`

Hashes for vaultssh-1.0.0-py3-none-any.whl

Hashes for vaultssh-1.0.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`2f1fd62617571892e0c3d8a009bb488c78ac8d09b85a9841af0918f66a48eb6c`
MD5	`a84ca2b42631d67b766395821bcb5acb`
BLAKE2b-256	`b5d242a8d70dcceb779e2820182c519019bb525c119c3c9d3034401cfb5e8e9e`