-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathvault-ssh
More file actions
executable file
·101 lines (86 loc) · 2.41 KB
/
vault-ssh
File metadata and controls
executable file
·101 lines (86 loc) · 2.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/bin/bash
# Simple script to SSH to remote server using Vault authentication.
#
# Set values
pkg=${0##*/}
VAULT_SSH_ROLENAME=${VAULT_SSH_ROLENAME:-"monuser"}
PERSONAL_PUBKEY=${PERSONAL_PUBKEY:-"${HOME}/.ssh/id_rsa.pub"}
VAULT_SSH_PUBKEY="${PERSONAL_PUBKEY%.*}-cert.pub"
# set colors
red=$(tput setaf 1)
green=$(tput setaf 2)
yellow=$(tput setaf 3)
blue=$(tput setaf 4)
purple=$(tput setaf 5)
cyan=$(tput setaf 6)
white=$(tput setaf 7)
reset=$(tput sgr0)
log() {
# Write messages to screen
echo "$(date +"%F %T") [${pkg}] $1"
}
die() {
log "${red}[FAIL] $1${reset}" >&2 && return 1
}
usage() {
cat <<EOM
${pkg}
SSH into remote host using Vault authentication.
Usage: ${pkg} [options] destination
Options:
-h, --help
Output help (this message)
-r=, --role=[role_name]
Name of Vault role to use (defaults to 'monuser'). Leave this as the default.
-p=, --pubkey=[public_key]
Full path to your personal public key (defaults to ${HOME}/.ssh/id_rsa.pub).
EOM
}
vault-ssh() {
# Authenticate to Vault, getting access tokens. Store the role for future usage.
if [[ ! $(vault token-lookup >/dev/null 2>&1) ]]; then
read -s -p 'Enter your company password to authenticate with Vault: ' NET_PWD
echo ''
vault login -method=userpass -path=ping username=${USER} password="${NET_PWD}" &>/dev/null
[[ $? -ne 0 ]] && die "Please resolve the error above and try again."
unset NET_PWD
fi
echo ${VAULT_SSH_ROLENAME} > ${HOME}/.vault_ssh_role
log "Using role ${VAULT_SSH_ROLENAME} to obtain signed Vault SSH key, ${VAULT_SSH_PUBKEY}, with public key ${PERSONAL_PUBKEY}"
vault write -field signed_key ssh/sign/${VAULT_SSH_ROLENAME} public_key=@${PERSONAL_PUBKEY} > ${VAULT_SSH_PUBKEY}
[[ $? -ne 0 ]] && die "Please resolve the error above and try again."
chmod 0600 ${VAULT_SSH_PUBKEY}
}
ssh-conn() {
# Wrapper for SSH connection
log "Connecting to ${SSH_CONN}"
ssh ${SSH_CONN}
}
# Process command line
for arg in "$@"; do
case $arg in
-h | --help)
usage
exit 0
;;
-r=* | --role=*)
VAULT_SSH_ROLENAME="${arg#*=}"
shift
;;
-p=* | --pubkey=*)
PERSONAL_PUBKEY="${arg#*=}"
VAULT_SSH_PUBKEY="${PERSONAL_PUBKEY%.*}-cert.pub"
shift
;;
-*)
echo "${red}Unknown option ${arg}, exiting...${reset}"
usage
exit 1
;;
*)
SSH_CONN="${arg}"
;;
esac
done
vault-ssh
[[ ! -z ${SSH_CONN} ]] && ssh-conn