This repo holds the notes, slides, and configurations for my talk at HashiConf 2018.
The demo for this talk includes an enterprise versions of Vault and Consul using Terraform Enterprise (https://app.terraform.io) to setup all the infrastructure. More specifically, the following explains the setup:
- Terraform Enterprise is used to spin up the Vault/Consul clusters
- 3 node Vault Enterprise cluster with a 3 node Consul Enterprise cluster
- Vault is publicly accessible via AWS load balancer endpoint
- Consul is only accessible to Vault
- Script is used to setup the Vault SSH Secrets Engine and associated roles
- Terraform Enterprise is used to spin up the SSH clients in 2 separate workspaces
The Terraform workspace used to build the Vault/Consul cluster is located at: https://github.com/errygg/vault-guides/tree/master/operations/provision-vault/quick-start/terraform-aws.
Note: This demo was performed using Terraform Enterprise; however, the same demo can be accomplished using Terraform OSS using the
terraform
command in place of the UI.
Note: This demo uses configuration for Vault SSH found here: https://www.vaultproject.io/api/secret/ssh/index.html
-
Run the terraform workspace to spin up the Vault/Consul cluster
-
Configure Vault via UI - 1 key share, 1 threshold
-
Download the keys & unseal with the master key
-
Run terraform to configure Vault SSH backend and users
> cd ./scripts
> . ./vault_env.sh <Vault URL> <JSON file downloaded from unsealing Vault>
> ./configure_vault.sh
-
Spin up the OTP client via Terraform Enterprise
-
Create the OTP role for the
vampire
users as the root user
> . ./scripts/vault_env.sh <VAULT_ADDR> <credentials json file>
> vault write ssh/roles/vampires key_type=otp default_user=bob cidr_list="<IP address of OTP instance>/32"
- Authenticate with Vault as Bob
> export VAULT_TOKEN=`vault login -token-only -method=userpass username=bob`
- Get the OTP for the client
> vault ssh -role=vampires -mode=otp -strict-host-key-checking=no bob@<IP address of OTP instance>
- SSH into the client
> ssh bob@<IP address of OTP instance>
Enter the password from the key
field in the write response from step 3.
cat
out the PAM and ssh configs
> cat /etc/pam.d/sshd
> cat /etc/ssh/sshd_config
Exit out and try the password again and we'll see you can't login. OTP FTW!
- Spin up the CA client via Terraform Enterprise
- Authenticate with Vault
> export VAULT_NAMESPACE=zombies
> export VAULT_TOKEN=`vault login -token-only -method=userpass username=suzy`
- Public key is accessible via the
/public_key
endpoint
> curl http://<VAULT_ADDR>/v1/ssh/public_key
- Test that we can't actually ssh to the node as Suzy
> ssh suzy@<IP address of CA instance>
- Sign the local ssh key, putting it next to the default key allows a simpler ssh command
> vault write -field=signed_key ssh/sign/zombies public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub
> chmod 600 ~/.ssh/id_rsa-cert.pub
- SSH into the instance with our new signed key
> ssh suzy@<IP address of CA instance>