In this hands-on lab, you will be required to configure a HashiCorp Vault to generate SSH one-time passwords for a client on request. In order to achieve this, we will need to configure both the SSH Client, and the HashiCorp Vault servers.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Unseal the Vault and Log in with the Root Token
- Retrieve the vault keys.
- Unseal the vault.
- Log in with the
Initial Root Token.
- Enable SSH Secrets Engine and Provide Access to `ssh/creds/otp_role`
- Enable SSH Secrets engine.
- Create an
otp_rolewith key typeotp. - Create a policy file to provide access to
ssh/creds/otp_role. - Write a policy based on the
otp-policy.hclfile.
- Enable the `userpass` Authentication Method
- Enable
userpass. - Create a user and assign the
otp-policy.
- Enable
- Install `vault-ssh-helper` and Configure SSH
- On the
SSH Clientserver, downloadvault-ssh-helper. - Add the
ubuntuuser. - Unzip the
vault-ssh-helper_0.1.6_linux_amd64.zipfile and move it to/usr/local/bin. - Update the permissions on the
vault-ssh-helperbinary. - Change ownership of the binary from the
cloud_user, to therootuser, androotgroup. - Create a new directory named
vault-ssh-helper. - Create a configuration file for
vault-ssh-helper. - Modify the
pam.d/sshdconfiguration file. - Modify the
sshdconfiguration file. - Restart
sshdto apply the changes. - Run
vault-ssh-helperverification.
- On the
- Log in with the `userpass` Credentials, and Generate the One-Time Password
- On the
Vaultserver, log in with theuserpasscredentials. - Create a one-time password and copy the
keyfor later use. - From the
Clientserver, use the one-time password to connect to theSSH Clientserver.
- On the
