This role configures a host to use SSH keys signed by HashiCorp Vault, streamlining SSH key management.
Initially, it sets up the Vault client and configures SSH to use Vault-signed keys.
When the hardening variable is enabled, the role additionally applies enhanced security measures.
- Ansible 2.9 or higher.
- Operational HashiCorp Vault server.
- A Vault token with the
createandupdatecapabilities on thessh-client-signerendpoint.
Below are the variables you can override, along with their default values:
The most relevant variables are:
deploy_user: User for assigning SSH keys. Default:"coopbot"users_list: Users to configure for SSH access. Default:["{{ deploy_user }}"]hardening: Apply additional security measures (True/False). Default:Falsevault_address: URL of the Vault server. Default:"http://127.0.0.1:8200"vault_public_key: URL or path for the public key of the Vault. Default:""
Ensure to update this file with your own secrets and encrypt them with Ansible Vault.
---
vault_address: "https://vault.example.com"
vault_token: "token"Sets up SSH to use keys signed by HashiCorp Vault (main.yml).
- Download Vault public key.
- Configure SSH to use Vault-signed keys.
Performs the above tasks and applies additional security configurations (hardening.yml).
- Install
vaultclient. - Sign
HostCertificatewith Vault and set up it to be used by SSHD. This allows the host to be authenticated by Vault. - Enable
AuthorizedPrincipalsFile. This file specifies a list of principals (users) who are authorized to access each account, providing an extra layer of control over SSH access.
Remember to replace the values in vars with ones appropriate for your environment.
Here's an example playbook on how to use this role:
- hosts: servers
roles:
- vault_ssh_setup
vars:
vault_public_key: "https://example.com/vault-public-key.pem"
users_list: ["deployuser", "anotheruser"]
hardening: True