Description
Describe the bug
Im running vault-ssh-helper on servers to validate ssh otp.
Not sure when this occured, but I recently noticed that a user can request an OTP password for ip 1.2.3.32, but can use this password on any server on the 1.2.3/x subnet
Im pretty sure this didnt use to work.
To Reproduce
so lets say I want to ssh into the node 1.2.3.4.
in my example below I will generate an otp for 1.2.3.32 and consume it on 1.2.3.4
client:
vault write ssh/creds/otp_key_role ip=1.2.3.32 -format=json
ssh ubuntu@1.2.3.4
paste password
promt>
vault-ssh-helpers log in server(1.2.3.4):
2020/02/21 10:33:57 [INFO] using SSH mount point: ssh
2020/02/21 10:33:57 [INFO] ubuntu@1.2.3.32 authenticated!
Expected behavior
should only be able to login if the server has the IP addressed configured
Environment:
- Vault Server Version (retrieve with
vault status): 1.1.5 - Vault CLI Version (retrieve with
vault version): 1.3.0 - Server Operating System/Architecture: ubuntu bionic
vault-ssh-helper v0.1.4
Vault server configuration file(s):
vault policy read ssh
path "/ssh/creds/otp_key_role" {
capabilities = [ "create", "update" ]
}
path "/sys/leases/revoke/ssh/creds/otp_key_role/*" {
capabilities = [ "update" ]
}
vault read ssh/roles/otp_key_role
Key Value
allowed_users ubuntu,centos,deploy
cidr_list 1.2.3.0/16,172.31.1.0/24,192.168.186.0/24
default_user ubuntu
exclude_cidr_list n/a
key_type otp
port 22
vault token lookup
..
policies [ssh]
Additional context
Add any other context about the problem here.
Activity