Boundary - Vault SSH Certificate 연동

3-0 구성도

3-7 (Multi hop) Boundary - Vault SSH Certificate Secret Engine 연동

docs : https://developer.hashicorp.com/boundary/tutorials/credential-management/hcp-certificate-injection

vault : https://docmoa.github.io/04-HashiCorp/06-Vault/02-Secret_Engine/ssh-signed-certificates.html#%E1%84%80%E1%85%AE%E1%84%89%E1%85%A5%E1%86%BC%E1%84%8B%E1%85%A6%E1%84%89%E1%85%A5-public-key-%E1%84%80%E1%85%A1%E1%84%8C%E1%85%A7%E1%84%8B%E1%85%A9%E1%84%80%E1%85%B5

Vault 설정

1. ssh secret engie 활성화

vault secrets enable -path=ssh ssh 

2. ssh 키 구성

   2-1 keypair가 있는경우

   vault write ssh/config/ca \
   private_key="-----BEGIN RSA PRIVATE KEY----- ..." \
   public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCHEuSM6 ... HqX"

   2-2 키 생성해야 하는 경우

   vault write ssh/config/ca generate_signing_key=true
   Key           Value
   ---           -----
   public_key    ...

3. Policy 및 Role 생성

• boundary-controller.hcl : credential stroe에 필요

path "auth/token/lookup-self" {
  capabilities = ["read"]
}
path "auth/token/renew-self" {
  capabilities = ["update"]
}
path "auth/token/revoke-self" {
  capabilities = ["update"]
}
path "sys/leases/renew" {
  capabilities = ["update"]
}
path "sys/leases/revoke" {
  capabilities = ["update"]
}
path "sys/capabilities-self" {
  capabilities = ["update"]
}

• ssh.hcl : ssh secret engine 을 사용하는 role

path "<ssh secret engine path>/issue/<role 명>" {
  capabilities = ["create", "update"]
}

path "<ssh secert engine path>/sign/<role 명>" {
  capabilities = ["create", "update"]
}

• boundary-client.json : target host에 대한 설정

{
    "key_type": "ca",
    "allow_user_certificates": true,
    "default_user": "<target host OS 사용자명>",
    "allowed_users": "*",
    "allowed_extensions": "*"
}

• policy 생성

vault policy write boundary-controller boundary-controller.hcl
vault policy write ssh ssh.hcl

• role 생성

vault write <ssh secret engine path>/roles/<role 명> @boundary-client.json

4. Vault Token 생성 : credential store에 필요

vault token create -no-default-policy=true -policy=boundary-controller -policy=ssh -orphan=true -period=24h -renewable=true

Key                  Value
---                  -----
token                hvs.CAESIPuHbn_Q-MV-VP6SIvp0cC392YYVfh-zDD08d84i1w0zGh4KHGh2cy5RaDh0VTdxT08zSmlSRFZpYWdSNURMV1o
token_accessor       MqTktH666p0NBSkZw6wqDZZa
token_duration       24h
token_renewable      true
token_policies       ["boundary-controller" "ssh"]
identity_policies    []
policies             ["boundary-controller" "ssh"]

SSH Target Host 설정

1. vault secret engine의 public_key 값 저장

   vault read -filed=public_key <ssh Secret Engine Path>/config/ca > trusted-user-ca-keys.pem

2. SSH 설정

/etc/ssh/sshd_config - TrustedUserCAKeys 수정

TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

systemctl restart sshd

Boundary 설정

1. Credential Store 생성

• Address : Vault 주소
• Worker Filter : Vault와 통신이 되는 Worker의 Tag
• Token : Vault 설정 - 4 에서 생성한 Token

2. Credential Libraries 생성

• Vault Path : <ssh secret engine path>/sign/<role명>

• Username : boundary-client.json 에서 설정한 default user ( Target Host OS 사용자명 )

3. Target 설정

   • multi hop을 위한 tag 설정

     

• 접속하고자 하는 host 설정

  

• vault ssh certificate credential Injected 설정

  

• 접속완료

1. <ssh secret engine>/config/ca에 들어간 public key
2. token create시 붙이는< ssh secret engine> 관련 policy의 path, role 에 주의