Vault SSH

Easily SSH into a server that requires a certificate signed by HashiCorp Vault.

Features

• List signable roles
• Sign an SSH public key
• Automatically sign a key and SSH into a server

CLI Reference

Usage: vssh [OPTIONS] [SUBCOMMAND

Options:

• -c, --config <FILE>: Sets a custom config file

Subcommands:

• connect: Connect to a server with a signed certificate
• list: List available roles
• setup: Setup the application
• sign: Sign an SSH public key

Connect

Connect to a server with an automatically generated signed certificate

Usage: vssh connect [OPTIONS] <ROLE> <KEY> <SERVER>

Options:

• -o, --options <OPTIONS>: Extra SSH client options

Arguments:

• <ROLE>: Role to sign public key with
• <KEY>: Private key to authenticate with
• <SERVER>: SSH server connection string

List

List available roles

Usage: vssh list

Setup

Generate a configuration file

Usage: vssh setup [FLAGS] [OPTIONS]

Options:

• --no-tls: Disable verification TLS when connecting to the server
• --non-interactive: Run setup non-interactively
• --path <PATH>: Path of the SSH CA on the Vault server
• --server <SERVER>: HashiCorp Vault server to connect to
• --token <TOKEN>: Token to use when authenticating
• --custom-ca <PATH>: Path to the public part of the custom CA

Sign

Sign an SSH public key

Usage: vssh sign [OPTIONS] <ROLE> <KEY>

Options:

• -o, --output <FILE>: File to write the signed certificate to

Arguments:

• <ROLE>: Role to sign public key with
• <KEY>: Public key to be signed

TODO:

• add profiles
• custom CAs
• self-signed certificates
• use non-blocking version of reqwest