scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove dynamic keys from SSH Secrets Engine (#18874)

Browse Source 
* Remove dynamic keys from SSH Secrets Engine

This removes the functionality of Vault creating keys and adding them to
the authorized keys file on hosts.

This functionality has been deprecated since Vault version 0.7.2.

The preferred alternative is to use the SSH CA method, which also allows
key generation but places limits on TTL and doesn't require Vault reach
out to provision each key on the specified host, making it much more
secure.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove dynamic ssh references from documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove dynamic key secret type entirely

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify changelog language

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add removal notice to the website

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel
2023-01-31 16:02:22 -05:00
committed by GitHub
parent cc26d0dcb8
commit 8e7f2076a2
15 changed files with 67 additions and 1439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
builtin/logical/ssh/backend.go
View File

@@ -53,7 +53,6 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
Paths: []*framework.Path{
pathConfigZeroAddress(&b),
pathKeys(&b),
pathListRoles(&b),
pathRoles(&b),
pathCredsCreate(&b),
@@ -66,7 +65,6 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
},
Secrets: []*framework.Secret{
secretDynamicKey(&b),
secretOTP(&b),
},
@@ -112,8 +110,8 @@ const backendHelp = `
The SSH backend generates credentials allowing clients to establish SSH
connections to remote hosts.
There are three variants of the backend, which generate different types of
credentials: dynamic keys, One-Time Passwords (OTPs) and certificate authority. The desired behavior
There are two variants of the backend, which generate different types of
credentials: One-Time Passwords (OTPs) and certificate authority. The desired behavior
is role-specific and chosen at role creation time with the 'key_type'
parameter.