The Vault SSH secrets engine provides secure authentication and authorization for access to machines via the SSH protocol. This guide demonstrates the one-time SSH password mode.
Vault provides a number of different authentication methods to assist in delivery of this initial token. Getting the first secret to the consumer, is the secure introduction challenge.
You can use the information in this guide to build a demonstration for testing authentication of SSH connections using LDAP and PAM in a Docker environment with OpenLDAP credentials managed by Vault.
The Vault SSH secrets engine provides secure authentication and authorization for access to machines via the SSH protocol. The Vault SSH secrets engine helps manage access to machine infrastructure, providing several ways to issue SSH credentials.
The signed SSH certificates is the simplest and most powerful in terms of setup complexity and in terms of being platform agnostic. By leveraging Vault's powerful CA capabilities and functionality built into OpenSSH, clients can SSH into target hosts using their own local SSH keys.
The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server to issue a One-Time Password every time a client wants to SSH into a remote host using a helper command on the remote host to perform verification.
`vault-ssh-helper` is a counterpart to HashiCorp Vault's SSH backend. It allows a machine to consume One-Time-Passwords (OTP) created by Vault servers by allowing them to be used as client authentication credentials at SSH connection time.
This documentation assumes the SSH secrets engine is enabled at the /ssh path in Vault. Since it is possible to enable secrets engines at any location, please update your API calls accordingly.
The ssh command establishes an SSH connection with the target machine.
Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds.