Phase 2: Vault SSH Certificate Auth
Phase 2: Vault SSH Certificate Auth
Generate a keypair on the phone, sign with Vault SSH CA, and configure cert-based authentication.
Generate Keypair on Phone
On phone (Termux):
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_vault -N "" -C "zfold7-termux"Fetch Public Key to Workstation
Use sudo to bypass hardened SSH config (too many auth failures with 6 identity files).
|
sudo scp -o PubkeyAuthentication=no -P 8022 u0_a385@10.50.10.110:~/.ssh/id_ed25519_vault.pub /tmp/zfold7.pubsudo chown evanusmodestus:evanusmodestus /tmp/zfold7.pubLoad Vault Credentials
dsource d000 dev/vault
vault statusFix Vault Role: Add Termux User
The Vault SSH CA role must include the Termux user in allowed_users. After a Termux reinstall, the user ID changes (e.g., u0_a361 → u0_a385).
# Check current allowed_users
vault read ssh/roles/domus-client -format=json | jq -r '.data.allowed_users | split(",") | .[]'# Update role to add new Termux user
vault write ssh/roles/domus-client - <<'EOF'
{
"allowed_users": "Administrator,domus\\Administrator,admin,adminerosado,ansible,evanusmodestus,gabriel,root,u0_a361,u0_a385",
"key_type": "ca",
"default_user": "evanusmodestus",
"ttl": "8h",
"allow_user_certificates": true,
"default_extensions": {"permit-pty": "", "permit-user-rc": ""}
}
EOF# Verify
vault read ssh/roles/domus-client -format=json | jq -r '.data.allowed_users | split(",") | .[] | select(test("u0_a"))'Sign Certificate with Vault SSH CA
vault write -field=signed_key ssh/sign/domus-client \
public_key=@/tmp/zfold7.pub \
valid_principals="evanusmodestus,u0_a385" \
> /tmp/zfold7-cert.pub# Verify certificate principals
ssh-keygen -L -f /tmp/zfold7-cert.pub | awk '/Principals:/{p=1} p && /^ /{print; if(/^[^ ]/)p=0}'Copy Cert and Keys to Phone
# Copy signed cert
sudo scp -o PubkeyAuthentication=no -P 8022 /tmp/zfold7-cert.pub u0_a385@10.50.10.110:~/.ssh/id_ed25519_vault-cert.pub# Copy software SSH keys (NOT hardware-bound YubiKey keys)
sudo scp -o PubkeyAuthentication=no -P 8022 \
~/.ssh/id_ed25519_d000 \
~/.ssh/id_ed25519_d000.pub \
~/.ssh/id_ed25519_github \
~/.ssh/id_ed25519_github.pub \
~/.ssh/id_ed25519_gitlab \
~/.ssh/id_ed25519_gitlab.pub \
~/.ssh/id_ed25519_gitea \
~/.ssh/id_ed25519_gitea.pub \
~/.ssh/id_ed25519_codeberg \
~/.ssh/id_ed25519_codeberg.pub \
~/.ssh/id_ed25519_bitbucket \
~/.ssh/id_ed25519_bitbucket.pub \
~/.ssh/config \
u0_a385@10.50.10.110:~/.ssh/Set Permissions on Phone
chmod 600 ~/.ssh/id_ed25519_*
chmod 644 ~/.ssh/*.pub ~/.ssh/*-cert.pub
chmod 600 ~/.ssh/configConfigure Phone authorized_keys for Cert Auth
# Add workstation pubkey (fallback)
cat ~/.ssh/id_ed25519_d000.pub | sudo ssh -o PubkeyAuthentication=no -p 8022 u0_a385@10.50.10.110 'cat >> ~/.ssh/authorized_keys'# Add Vault CA for cert auth
vault read -field=public_key ssh/config/ca | awk '{print "cert-authority "$0}' | sudo ssh -o PubkeyAuthentication=no -p 8022 u0_a385@10.50.10.110 'cat >> ~/.ssh/authorized_keys'Re-sign Workstation Cert with Termux Principal
The workstation cert needs the Termux user principal to authenticate to the phone:
vault write -field=signed_key ssh/sign/domus-client \
public_key=@$HOME/.ssh/id_ed25519_vault.pub \
valid_principals="Administrator,admin,adminerosado,ansible,domus\\Administrator,evanusmodestus,u0_a385" \
>| ~/.ssh/id_ed25519_vault-cert.pub# Verify u0_a385 in principals
ssh-keygen -L -f ~/.ssh/id_ed25519_vault-cert.pub | grep -A10 PrincipalsVerify SSH with Vault Cert
ssh fold7| Check | Status |
|---|---|
Keypair generated on phone |
[x] |
Pubkey fetched to workstation |
[x] |
Vault role updated with Termux user |
[x] |
Certificate signed by Vault CA |
[x] |
Cert + keys copied to phone |
[x] |
Permissions set on phone |
[x] |
authorized_keys configured (pubkey + CA) |
[x] |
Workstation cert re-signed with Termux principal |
[x] |
SSH via |
[x] |