patternMinor
Vault `SSH-CA` Elliptic Curve rather than `RSA`
Viewed 0 times
curversaellipticvaultthanratherssh
Problem
Is it possible to use
ECDSA(Elliptic Curve Digital Signature Algorithm) or EdDSA( Edwards-curve Digital Signature Algorithm) instead of RSA when configuring SSH-CA on HashiCorp Vault?Solution
I think the answer should be yes to ecdsa but no to ed25519, but that it is currently no to both.
You can externally generate an ecdsa keypair and load it into ssh/config/ca but vault-1.4.3 cannot sign using it. I haven't tried ed25519.
Golang's ssh code (which vault uses) doesn't appear to know how to sign with ed25519 but should be able to sign with ecdsa. However, I think there's an issue with an inappropriate default being set elsewhere that means it is always being told to use an rsa-based signing algorithm and hence doomed to fail for ecdsa keys. See:
https://github.com/hashicorp/vault/issues/8414#issuecomment-656145432
If I am right, it looks like an easy fix so it may be available soon.
This is possible as of August 2020, see https://github.com/hashicorp/vault/pull/9824, tested with vault 1.6.2
You can externally generate an ecdsa keypair and load it into ssh/config/ca but vault-1.4.3 cannot sign using it. I haven't tried ed25519.
Golang's ssh code (which vault uses) doesn't appear to know how to sign with ed25519 but should be able to sign with ecdsa. However, I think there's an issue with an inappropriate default being set elsewhere that means it is always being told to use an rsa-based signing algorithm and hence doomed to fail for ecdsa keys. See:
https://github.com/hashicorp/vault/issues/8414#issuecomment-656145432
If I am right, it looks like an easy fix so it may be available soon.
This is possible as of August 2020, see https://github.com/hashicorp/vault/pull/9824, tested with vault 1.6.2
Context
StackExchange DevOps Q#11458, answer score: 3
Revisions (0)
No revisions yet.