Amacimiz her ssh ta farkli bir anahtar kullanmak ve böylece sabit anahtar ihtiyacindan kurtulmak.
Bunun icin “vault” kullanacagiz.
Öncelikle ilgili ssh secret enginini aktif edecegiz.
vault secrets enable -path=can_ssh_training sshdaha sonra Vault u SSH Certificate Authority haline getirecegiz.
vault write can_ssh_training/config/ca generate_signing_key=truePublic Key i okumak istersek
vault read -field=public_key can_ssh_training/config/caDaha sonra Vault ta SSH Role ünü tanimlamamiz gerekiyor.
vault write can_ssh_training/roles/ssh-access-role -<<"EOH"
{
"key_type": "ca",
"allow_user_certificates": true,
"allow_user_key_ids": true,
"allowed_users": "vaultTestUser2,vaultTestUser",
"default_user": "vaultTestUser2",
"ttl": "30m",
"allowed_extensions": "*",
"default_extensions": {
"permit-pty": "",
"permit-port-forwarding": "",
"permit-agent-forwarding": ""
}
}
EOHNOT: Vault burada jsonin nasil yazildigi konusunda cok hassas.
Check edelim.
vault read can_ssh_training/roles/ssh-access-role
Key Value
--- -----
algorithm_signer default
allow_bare_domains false
allow_empty_principals false
allow_host_certificates false
allow_subdomains false
allow_user_certificates true
allow_user_key_ids true
allowed_critical_options n/a
allowed_domains n/a
allowed_domains_template false
allowed_extensions *
allowed_user_key_lengths map[]
allowed_users vaultTestUser2,vaultTestUser
allowed_users_template false
default_critical_options map[]
default_extensions map[permit-agent-forwarding: permit-port-forwarding: permit-pty:]
default_extensions_template false
default_user vaultTestUser2
default_user_template false
key_id_format n/a
key_type ca
max_ttl 0s
not_before_duration 30s
ttl 30mSimdi artik bu user icin bir key yaratacagiz ve bunu vault imzalayip sertifika olusturacak bu sertifika ile ssh yapacagiz .
ssh-keygen -t rsa -b 4096 -f ~/.ssh/vault_sshve simdi artik bu user icin sertifika olusturacagiz.
vault write -field=signed_key can_ssh_training/sign/ssh-access-role public_key=@$HOME/.ssh/vault_ssh.pub > $HOME/.ssh/vault_ssh-cert.pubSertifikayi incelemek istersek
ssh-keygen -Lf .ssh/vault_ssh-cert.pub
.ssh/vault_ssh-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT SHA256:LZjNChO4wr4EMWHcynP6w0jQbpPTn4iAebRfLz1UpCk
Signing CA: RSA SHA256:bknvbsNOnSzZOwJYVcgr5iVhRzbwlx+3YB8IP2DFSWQ (using rsa-sha2-256)
Key ID: "vault-root-2d98cd0a13b8c2be043161dcca73fac348d06e93d39f888079b45f2f3d54a429"
Serial: 11241780918389502608
Valid: from 2026-05-21T13:46:44 to 2026-05-21T14:17:14
Principals:
vaultTestUser2
Critical Options: (none)
Extensions:
permit-agent-forwarding
permit-port-forwarding
permit-ptySimdi Linux Hostunu ayarlamamiz gerekiyor.
Linux Host
Gereksinim : Home klasörü ve default shell i olan bir user gerekiyor. Benim planim sadece o user a ssh vermek ve her user icin ayri ssh vermek.
useradd -m -s /bin/bash vaultTestUser2Ayrica Vault un CA Public Key sertifikasini sisteme güvenilir sertifika olarak tanitmamiz gerekiyor.
nano /etc/ssh/trusted-user-ca-keys.pem
sh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3pTAzr8q/L7aNb7uyWtEyOHLfNjOAKVcDQXSPI+oGtyvY5Yhhyyf6oJRxOENUJbMqUDZNLsWv0cJDUhvjBGk+qE6+/Qkr4h3d+FLMgBLd55lY2+IYCLmODVnJKi2QQ3FaiXPI0Xff+1hTPMtcGATlZQHLW+w37eC......Ayrica kasitli olarak izin vermek gerekiyor.
cat /etc/ssh/auth_principals/vaultTestUser2
vaultTestUser2Daha sonra “sshd_config” i editliyoruz
#VAULT
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
PermitTTY yes
PermitUserRC yes
PermitOpen any
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
ChallengeResponseAuthentication no
PermitUserEnvironment yesTest
ls -lap .ssh/
-rw-------@ 1 staff staff 3401 May 21 07:57 vault_ssh
-rw-r--r--@ 1 staff staff 2546 May 21 13:47 vault_ssh-cert.pub
-rw-r--r--@ 1 staff staff 754 May 21 07:57 vault_ssh.pubssh -i .ssh/vault_ssh vaultTestUser2@192.168.0.12