vault ssh fails on Windows

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management

https://www.vaultproject.io/

Other

30.84k stars 4.17k forks source link

vault ssh fails on Windows #4618

Open rvandegrift opened 6 years ago

rvandegrift commented 6 years ago

vault ssh doesn't work on a Windows 7 VM.

To Reproduce

C:\Users\rvandegrift>vault ssh -mode=ca -role=default host.example.com
failed to write signed public key: creating temporary file: open C:\Users\rvandegrift\AppData\Local\Temp\vault_ssh_ca_winvm\rvandegrift_host.example.com.192575871671: The system cannot find the path specified.

The issue seems to be that the temp directory doesn't exist. I can fix it with:

C:\Users\rvandegrift>mkdir C:\Users\rvandegrift\AppData\Local\Temp\vault_ssh_ca_winvm

Expected behavior vault ssh should create the temp dirs it needs.

Environment:

Vault Server Version (retrieve with vault status): N/A
Vault CLI Version (retrieve with vault version): Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')
Server Operating System/Architecture: Windows 7 x64

shellwhale commented 3 years ago

I am experiencing the same issue. However, creating the temp directory doesn't fix the issue completly for me.

vault ssh -mode=ca -role=shellwhale infallible-shirley.whalewave.net
shellwhale@infallible-shirley.whalewave.net: Permission denied (publickey).
failed to run ssh command: exit status 255

Yet I can still connect correctly to my server by manually requesting a key.

vault write -field=signed_key ssh/sign/shellwhale public_key="@$HOME\.ssh\id_rsa.pub" > ~\.ssh\id_rsa-cert.pub
ssh infallible-shirley.whalewave.net

Here's my role

{
    "algorithm_signer" : "rsa-sha2-512",
    "allow_user_certificates": true,
    "allow_host_certificates": false,
    "allowed_users": "*",
    "allowed_extensions": "permit-pty,permit-port-forwarding,permit-X11-forwarding,permit-agent-forwarding,permit-user-rc",
    "default_extensions": [
    {
        "permit-pty": ""
    }
    ],
    "key_type": "ca",
    "default_user": "shellwhale",
    "ttl": "300s"
}

shellwhale commented 3 years ago

I'm still experiencing this issue months later with the latest version of Vault. If you are experiencing the same issue, you can save the following function in your PowerShell $PROFILE. This is simply an alias I use to speed up things. (Don't forget to setup your own role).

Function vault-ssh([string] $a)
{
    vault write -field=signed_key ssh/sign/shellwhale public_key="@$HOME\.ssh\id_rsa.pub" > ~\.ssh\id_rsa-cert.pub;
    ssh $a;
}

Usage

vault-ssh user@example.com

This is a 3-year-old issue, isn't there a proper solution to this?

heatherezell commented 5 months ago

Hi folks, is this still an issue on recent versions of Vault? Please let me know. Thanks!