Authentication using federated identity
Brian Candler
b.candler at pobox.com
Tue Feb 13 21:13:39 AEDT 2024
On 13/02/2024 09:35, Gilbert Netzer wrote:
> we have not yet
> found a good way to for example get a token, e.g. a SSH key or certificate,
> in or out of the web-browser into the non-web part, for instance a SSH agent
Here's something I knocked together for my own use:
https://github.com/candlerb/vault-ssh-agent-login
You run this from the command line, and it talks to your local
ssh-agent. If you don't have a suitable certificate already then it
generates a new key pair, gets Vault to sign it, and then inserts the
new key and cert into ssh-agent (set to expire when the cert expires).
If you're using Vault with OIDC auth then it opens a browser window for
that part, similar to how kubelogin works.
More information about the openssh-unix-dev
mailing list