Vault SSH PKI with OIDC - 用户作为 SSH 主体 [英] Vault SSH PKI with OIDC - user as SSH principal

问题描述

到目前为止我的配置工作正常.用户可以使用 OIDC(链接到 Azure AD)登录到 Vault Web 界面.AD 组也会传输到 Vault.所以我可以将 AD 组分配给保管库策略.登录 Vault 的用户可以签署 SSH 公钥.到目前为止一切顺利...

唯一缺少的部分是身份传播.我希望能够在我的 SSH 主机上跟踪用户.因此，我需要将用户名添加到 SSH 证书中.

因此，当用户签署她的 SSH 公钥时，我想将她的用户名(电子邮件、全名、与她的真实身份相关的任何内容)作为主体添加到 SSH 证书中.

如果我理解正确，我的问题类似于

查看证书属性也表明它有效:

ssh-keygen -Lf ssh-cert.pubssh-cert-v11.pub:类型:ssh-rsa-cert-v01@openssh.com 用户证书公钥:RSA-CERT SHA256:...签名 CA:RSA SHA256:...密钥 ID:vault-oidc-example-user@example.com-..."序列号:...有效:从...校长:示例用户@example.com关键选项:(无)扩展:...

My configuration so far is working fine. Users can login to Vault Web interface using OIDC (linked to Azure AD). AD Groups are transmitted to Vault as well. So I can assign AD Groups to Vault Policies. A User who is signed in to Vault is able to sign a SSH Public Key. So far so good...

The only missing piece is Identity propagation. I want to be able to trace users on my SSH Hosts. As such, I need to add the username to the SSH Certificate.

Therefore, when a user signs her SSH public key, I want to add her Username (email, full name, anything that relates her real identity) as a principal to the SSH Certificate.

If I understood correctly, my issue is similar to this one, but instead of userpass secret engine, I use OIDC.

I tried to adopt the code as suggested in the git-issue:

cat <<EOF > signer-clientrole.hcl
{
    "allow_user_certificates": true,
    "allowed_users": "root,{{identity.entity.aliases.$(vault auth list -format=json | jq -r '.["oidc/"].accessor').name}}",
    "default_user": "",
    "allow_user_key_ids": "false",
    "default_extensions": [
        {
          "permit-pty": ""
        }
    ],
    "key_type": "ca",
    "ttl": "60m0s"
}
EOF
vault write ssh/roles/clientrole @signer-clientrole.hcl

However, when I want to sign a certificate with my username entered in the "principals" web form I receive an Error that the principal does not exist. See image below:

Sign Error

I hope my issue became clear. I am using Vault 1.4.2 on Debian 10.

解决方案

For anyone struggling with the same issues, I found a solution to the problem.

When configuring the OIDC role, I used sub for bound_subject, as it was suggested in all corresponding tutorials and I did not question the value. sub is some kind of uuid identifying a user in the AD.

So I tried email instead and viewed the server.log file and found the following entry:

[DEBUG] identity: creating a new entity: alias="id:"..." canonical_id:"..." mount_type:"oidc" mount_accessor:"auth_oidc_..." mount_path:"auth/oidc/" name:"example_user@example.com"...

So the value of bound_subject is written as a value to name at whatever is behind identity.entity.aliases.$(vault auth list -format=json | jq -r '.["oidc/"].accessor') (see initial question).

So using now using the email address as principal in the web form works:

And viewing the Certificate Properties also showed that it worked:

ssh-keygen -Lf ssh-cert.pub

ssh-cert-v11.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:...
        Signing CA: RSA SHA256:...
        Key ID: "vault-oidc-example-user@example.com-..."
        Serial: ...
        Valid: from ...
        Principals: 
                example-user@example.com
        Critical Options: (none)
        Extensions: 
                ...

这篇关于Vault SSH PKI with OIDC - 用户作为 SSH 主体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！