Skip to main content

CLI tool for signing SSH public keys using the Vault SSH endpoint

Project description

VaultSSH

CLI tool for signing SSH public keys using the Vault SSH endpoint

VaultSSH is a simple command line tool written in Python which automates the process of signing SSH public keys using the Hashicorp Vault SSH backend. In environments which have configured Vault as a trusted CA and use it to issue signed keys for authenticating against SSH servers, this tool provides a simple wrapper which handles all the backend communication and produces a signed public key ready for the end-user to authenticate with.

This tool assumes that your Vault environment has been properly configured for signing SSH keys. Hashicorp provides extensive documentation along with examples on how to perform this configuration in their docs.

Installation

pip install vaultssh

Usage example

VaultSSH takes two arguments: a path to the public SSH key to sign and the Vault role that should be used to sign it. Please refer to the Vault documentation to learn more about configuring SSH key signing.

$ vaultssh ~/.ssh/id_rsa.pub myrole

VaultSSH will automatically detect if you had previously authenticated with the Vault server by looking for an existing token in the default Vault environment variable (VAULT_TOKEN) or Vault token file (~/.vault-token). You can override this behavior and provide your own token by passing the --token flag. If a token is not found, or has expired, the tool will prompt you to authenticate with the Vault backend to fetch a new token (Note: only RADIUS is currently supported). By default the tool will persist the newly acquired token in the Vault token file, however this can be disabled by passing the --no-persist flag.

VaultSSH will automatically detect the location of the Vault server by using the default Vault environment variable (VAULT_ADDR). You can override this behavior by passing the --server flag.

$ vaultssh --server https://myvault.com:8200 ~/.ssh/id_rsa.pub myrole

If the signing process succeeds, VaultSSH will automatically write the signed certificate to the same directory as the given public key:

$ vaultssh ~/.ssh/id_rsa.pub myrole
Signed key saved to /home/josh/.ssh/id_rsa-cert.pub

Development setup

This project was developed using Pipenv as the virtual environment wrapper. To install all dependencies, run the following command at the root of the project:

pipenv install --dev

Release History

  • 0.1.0
    • Initial prototype

Meta

Joshua Gilman – joshuagilman@gmail.com

Distributed under the MIT license. See LICENSE for more information.

https://github.com/jmgilman

Contributing

  1. Fork it (https://github.com/jmgilman/vaultssh/fork)
  2. Create your feature branch (git checkout -b feature/fooBar)
  3. Commit your changes (git commit -am 'Add some fooBar')
  4. Push to the branch (git push origin feature/fooBar)
  5. Create a new Pull Request

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vaultssh-1.0.0.tar.gz (5.7 kB view details)

Uploaded Source

Built Distribution

vaultssh-1.0.0-py3-none-any.whl (6.9 kB view details)

Uploaded Python 3

File details

Details for the file vaultssh-1.0.0.tar.gz.

File metadata

  • Download URL: vaultssh-1.0.0.tar.gz
  • Upload date:
  • Size: 5.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/42.0.2 requests-toolbelt/0.9.1 tqdm/4.42.0 CPython/3.6.8

File hashes

Hashes for vaultssh-1.0.0.tar.gz
Algorithm Hash digest
SHA256 5165c91dcd761a199163c133f52d37fa7d364ba25574c74313a38c1a5abec6b6
MD5 0ee9a462677d6d2fa71feb54d22b42fa
BLAKE2b-256 56b194964ee6d475c6a671af22d00948c60b14c911a6f99a97066669d05be9b0

See more details on using hashes here.

File details

Details for the file vaultssh-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: vaultssh-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 6.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/42.0.2 requests-toolbelt/0.9.1 tqdm/4.42.0 CPython/3.6.8

File hashes

Hashes for vaultssh-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2f1fd62617571892e0c3d8a009bb488c78ac8d09b85a9841af0918f66a48eb6c
MD5 a84ca2b42631d67b766395821bcb5acb
BLAKE2b-256 b5d242a8d70dcceb779e2820182c519019bb525c119c3c9d3034401cfb5e8e9e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page