Difficulty: intermediate
Estimated Time: 15 minutes

By default, SSH servers use password authentication with optional public key authentication. If any user on the system has a fairly weak password, this allows an attacker to hijack the SSH connection.

Vault can create a one-time password (OTP) for SSH authentication on a network every time a client wants to SSH into a remote host using a helper command on the remote host to perform verification.

SSH Secrets Engine: One-Time SSH Password

Step 1 of 4

Setup the SSH secrets engine

Start the Vault server.

sudo systemctl start vault

Export an environment variable for the vault CLI to address the Vault server.

export VAULT_ADDR='http://0.0.0.0:8200'

Login as a highly privileged user.

vault login root

Enable the SSH secrets engine.

vault secrets enable ssh

Create a role named otp_key_role with key_type set to otp.

vault write ssh/roles/otp_key_role key_type=otp \
      default_user=ubuntu \
      cidr_list=0.0.0.0/0
Terminal Host 2