A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault

Overview

vaultssh

A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault

vaultssh is a small CLI wrapper for automatically fetching and using signed SSH certificates when remoting into a host. It wraps the ssh process and is therefore compatible with all standard ssh flags.

Installation

cargo install vaultssh

Or install using brew:

brew tap jmgilman/homebrew-apps
brew install vaultssh

Usage

example

address of vault server (default: $VAULT_ADDR) -t, --token vault token to use for authentication (default: $VAULT_TOKEN) ">
$> vssh --help

vaultssh 0.1.0

A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault

USAGE:
    vssh [FLAGS] [OPTIONS] 
    
      [ARGS]...

ARGS:
    
     
             ssh host
    
      
       ...    additional arguments to pass to ssh

FLAGS:
    -b, --basic      disables terminal effects
    -h, --help       Print help information
    -p, --persist    persist acquired tokens to ~/.vault-token
    -V, --version    Print version information

OPTIONS:
    -a, --auth-method 
       
                 default authentication method to use
        --auth-mount 
        
          default authentication mount to use -c, --config 
         
           config file (default: $HOME/.vssh) -i, --identity 
          
            ssh key-pair to sign and use (default: $HOME/.ssh/id_rsa) -m, --mount 
           
             mount path for ssh backend (default: ssh) -r, --role 
            
              vault role account to sign with (default: "default") -s, --server 
             
               address of vault server (default: $VAULT_ADDR) -t, --token 
              
                vault token to use for authentication (default: $VAULT_TOKEN) 
              
             
            
           
          
         
        
       
      
     
    

Configuration

A configuration can be used by either creating it at ~/.vssh or passing one in using the CLI option. Configuration files are in TOML format. An example one is shown below:

# Example config - place this in ~/.vssh to automatically use it
#
# The authentication names are the same as the default mount point for the 
# associated engine. For example, "approle" for AppRole and "oidc" for OIDC. 
# Not all engines are supported, only the ones shown below. You don't have to
# configure each one and may only configure the one you set to the default. 

auth = "oidc"                  # default authentication method to use
auth_mount = "oidc"            # default mount point for the authentication method
identity = "~/.ssh/id_rsa"     # ssh key-pair to sign and use
mount = "ssh"                  # mount path for ssh backend
persist = true                 # persist acquired tokens to ~/.vault-token
role = "myrole"                # vault role account to sign with
server = "https://vault:8200"  # address of vault server

[approle]                      # name of auth method to configure
role_id = "myrole"             # default values for auth method

[oidc]
role = "admin

[userpass]
username = "myuser"

Flow

The following occurs when you run vssh:

  • A valid SSH certificate is searched for using the passed identity name
  • If no certificate is found, or the found certificate is expired, a new certificate is requested
  • A connection to Vault is initiated using any found tokens. If no token is found or the token is expired, a login prompt is given to acquire a new token.
  • The public key for the passed identity is signed and the certificate is saved to the local filesystem
  • The ssh program is executed and is passed the host and any additional arguments

Authentication

By default, if a new certificate is needed but no valid token has been found then vssh will initiate a login prompt for acquiring a new token. This token will only be used for the single session unless the --persist option is given in which case the token is saved to the Vault CLI's default location of ~/.vault-token. Future uses of vssh will use this token.

Not all authentication methods are currently supported, see the above configuration example for the ones that are. Specifying defaults for the authentication method will pre-fill the login prompt to make logging in easier. However, all other auth methods are still available if desired (i.e. setting defaults does not skip any prompts).

Contributing

Check out the issues for items neeeding attention or submit your own and then:

  1. Fork it (https://github.com/jmgilman/vaultssh/fork)
  2. Create your feature branch (git checkout -b feature/fooBar)
  3. Commit your changes (git commit -am 'Add some fooBar')
  4. Push to the branch (git push origin feature/fooBar)
  5. Create a new Pull Request
You might also like...
Simple OpenAI CLI wrapper written in Rust, feat. configurable prompts and models

Quick Start git clone https://github.com/ryantinder/ask-rs cd ask cargo install --path . Example ask tell me about the Lockheed Martin SR71 The Loc

Small CLI for escaping and unescaping characters in strings

🐌 esc Small CLI for escaping characters in strings. Install cargo install esc Usage cat LICENSE-MIT | esc escape | pbcopy pbpaste | esc unescape | pb

Small and simple CLI app to generate .editorconfig based on a given settings.

add-editorconfig Small and simple CLI app to generate .editorconfig based on a given settings. Usage # Will create an .editorconfig in the current dir

zman is a CLI year (time) progress that small, fast, and just one single binary.
zman is a CLI year (time) progress that small, fast, and just one single binary.

zman zman is a CLI year (time) progress that small, fast, and just one single binary. Features Show year progress Show month, and week progress Show r

Cornucopia is a small CLI utility resting on tokio-postgres and designed to facilitate PostgreSQL workflows in Rust

Cornucopia Generate type checked Rust from your SQL Install | Example Cornucopia is a small CLI utility resting on tokio-postgres and designed to faci

A small CLI tool to query ArcGIS REST API services, implemented in Rust. The server response is returned as pretty JSON.

A small CLI tool to query ArcGIS REST API services, implemented in Rust. The server response is returned as pretty JSON.

Kana - a small CLI program for transliterating romaji text to either hiragana (ひらがな) or katakana (カタカナ).

Kana About Kana is a small CLI program for transliterating romaji text to either hiragana (ひらがな) or katakana (カタカナ). How it works Internally, it uses

A small cli demo of rust&wasm hostcall framework.

A Cli Example for Rust and WebAssembly Hostcall Usage # build wasms for ervery module in the `wasm` directory and move them to the root directory # ex

Yet Another Texture Packer - a small and simple CLI application to pack multiple textures/sprites into a texture atlas/sprite sheet

YATP (Yet Another Texture Packer) A small and simple CLI application to pack multiple textures/sprites into a texture atlas/sprite sheet. Installation

Comments
  • Trusted Certificates

    Trusted Certificates

    Hello,

    This is a neat little tool youve created, simplfies the process quite well!

    Unfortunately, i cant seem to get it to connect to my vault. The vaults using a certificate thats signed by a custom CA.

    The CA file is trusted in the windows store, and the vault binary works fine when calling using the CLI.

    Is there any way i can get vssh to also trust this cert?

    opened by n0xy1 2
  • Fails to build

    Fails to build

    Tested on Ubuntu 20.04, Linux Mint 20.2 and Ubuntu 22.04, each with stock rustc:

    error[E0432]: unresolved import `clap::Clap`
    error[E0277]: the trait bound `VaultClient: LoginClient` is not satisfied
       --> /home/bkaindl/.cargo/registry/src/github.com-1ecc6299db9ec823/vaultssh-0.1.1/src/main.rs:275:45
        |
    275 |         if let Err(e) = crate::login::login(&mut client, config, console).await {
        |                         ------------------- ^^^^^^^^^^^ the trait `LoginClient` is not implemented for `VaultClient`
        |                         |
        |                         required by a bound introduced by this call
    145 | pub struct Opts {
        | --------------- function or associated item `parse` not found for this
    ...
    184 |     let opts: Opts = Opts::parse();
        |                            ^^^^^ function or associated item not found in `Opts`
        |
        = help: items from traits can only be used if the trait is implemented and in scope
        = note: the following traits define an item `parse`, perhaps you need to implement one of them:
                candidate #1: `time::parsing::parsable::sealed::Sealed`
                candidate #2: `Parser`
                candidate #3: `TypedValueParser`
    
    Some errors have detailed explanations: E0277, E0432, E0599.
    For more information about an error, try `rustc --explain E0277`.
    
    opened by bernhardkaindl 0
Owner
Joshua Gilman
Joshua Gilman
Akamai Krypton CLI and SSH Agent (v2)

Akamai "Krypton" FIDO2 SSH Agent and CLI The akr command line utility is Akamai's "Krypton" SSH Agent, the successor to kr which works exclusively wit

Akamai 57 Jan 4, 2023
Multi-threaded CLI torrent scraper for displaying searched for magnet links; tailored for use with plex & ssh.

magnetfinder Multi-threaded CLI torrent aggregator; scrapes torrent results from multiple websites and delivers them into a table in your terminal! Su

null 59 Dec 10, 2022
CLI tool to generate aptos keys.

aptos-keygrind CLI tool to generate aptos keys. Credit to https://github.com/solana-labs/solana/tree/master/keygen for some code I took. Installation

xjcaa 2 Aug 29, 2022
🦴🖥️ // An ssh manager

?? ??️ ssh-man ssh-man is an SSH manager. I often forget the credentials and IPs to servers I frequently SSH into so Im making ssh-man to help me reme

mellowmarshe 4 Dec 9, 2021
1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel

massh 1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel. The binary crates are CLI and GUI "frontends" for the li

null 2 Oct 16, 2022
FastSSH is a TUI that allows you to quickly connect to your services by navigating through your SSH config.

Connect quickly to your services ?? FastSSH is a TUI that allows you to quickly connect to your services by navigating through your SSH config. Instal

Julien 85 Dec 14, 2022
This PAM module provides ssh-agent based authentication

PAM-RSSH This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers.

Yuxiang Zhang 21 Dec 14, 2022
ripsecrets is a command-line tool to prevent committing secret keys into your source code.

ripsecrets is a command-line tool to prevent committing secret keys into your source code. ripsecrets has a few features that distinguish it from other secret scanning tools:

Brian Smith 588 Dec 30, 2022
g3k: Generate Good-looking GPG Keys

g3k: Generate Good-looking GPG Keys Yet another vanity key generator. Usage: git clone https://github.com/bnoctis/g3k cd g3k cargo build --release tar

Blair Noctis 118 Dec 27, 2022
convert nostr keys and note-ids between hex and bech32

Key-Convertr People are copy-pasting nostr private keys into webpages to convert between the original hex-encoding and bech32-encoding (specified in N

Rijndael 14 Jan 9, 2023