CODEWITHSUNDEEP
openid-connecthashicorp-vault
Teosch
Teosch

Reputation: 69

Vault SSH PKI with OIDC - user as SSH principal

My configuration so far is working fine. Users can login to Vault Web interface using OIDC (linked to Azure AD). AD Groups are transmitted to Vault as well. So I can assign AD Groups to Vault Policies. A User who is signed in to Vault is able to sign a SSH Public Key. So far so good...

The only missing piece is Identity propagation. I want to be able to trace users on my SSH Hosts. As such, I need to add the username to the SSH Certificate.

Therefore, when a user signs her SSH public key, I want to add her Username (email, full name, anything that relates her real identity) as a principal to the SSH Certificate.

If I understood correctly, my issue is similar to this one, but instead of userpass secret engine, I use OIDC.

I tried to adopt the code as suggested in the git-issue:

cat <<EOF > signer-clientrole.hcl
{
    "allow_user_certificates": true,
    "allowed_users": "root,{{identity.entity.aliases.$(vault auth list -format=json | jq -r '.["oidc/"].accessor').name}}",
    "default_user": "",
    "allow_user_key_ids": "false",
    "default_extensions": [
        {
          "permit-pty": ""
        }
    ],
    "key_type": "ca",
    "ttl": "60m0s"
}
EOF
vault write ssh/roles/clientrole @signer-clientrole.hcl

However, when I want to sign a certificate with my username entered in the "principals" web form I receive an Error that the principal does not exist. See image below:

Sign Error

I hope my issue became clear. I am using Vault 1.4.2 on Debian 10.

Upvotes: 2

Views: 1010

Answers (1)

Teosch
Teosch

Reputation: 69

For anyone struggling with the same issues, I found a solution to the problem.

When configuring the OIDC role, I used sub for bound_subject, as it was suggested in all corresponding tutorials and I did not question the value. sub is some kind of uuid identifying a user in the AD.

So I tried email instead and viewed the server.log file and found the following entry:

[DEBUG] identity: creating a new entity: alias="id:"..." canonical_id:"..." mount_type:"oidc" mount_accessor:"auth_oidc_..." mount_path:"auth/oidc/" name:"[email protected]"...

So the value of bound_subject is written as a value to name at whatever is behind identity.entity.aliases.$(vault auth list -format=json | jq -r '.["oidc/"].accessor') (see initial question).

So using now using the email address as principal in the web form works:

Sign Success

And viewing the Certificate Properties also showed that it worked:

ssh-keygen -Lf ssh-cert.pub

ssh-cert-v11.pub:
        Type: [email protected] user certificate
        Public key: RSA-CERT SHA256:...
        Signing CA: RSA SHA256:...
        Key ID: "[email protected]..."
        Serial: ...
        Valid: from ...
        Principals: 
                [email protected]
        Critical Options: (none)
        Extensions: 
                ...

Upvotes: 1

Related Questions