{"id":20567784,"url":"https://github.com/isometry/vault-ssh-plus","last_synced_at":"2026-04-02T19:04:23.492Z","repository":{"id":57550151,"uuid":"306576685","full_name":"isometry/vault-ssh-plus","owner":"isometry","description":"Automatically use HashiCorp Vault SSH Client Key Signing with ssh(1)","archived":false,"fork":false,"pushed_at":"2025-06-11T22:49:12.000Z","size":253,"stargazers_count":27,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-06-22T13:07:27.857Z","etag":null,"topics":["ssh","ssh-certificates","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/isometry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-23T08:36:52.000Z","updated_at":"2025-06-11T22:49:15.000Z","dependencies_parsed_at":"2023-02-16T23:15:36.600Z","dependency_job_id":"1baac810-6030-47e9-855e-3afce39c59d1","html_url":"https://github.com/isometry/vault-ssh-plus","commit_stats":{"total_commits":79,"total_committers":4,"mean_commits":19.75,"dds":0.5189873417721519,"last_synced_commit":"8019cc5841d61f3a9040f244835d2b180871c5c3"},"previous_names":["isometry/vault-ssh-client"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/isometry/vault-ssh-plus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fvault-ssh-plus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fvault-ssh-plus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fvault-ssh-plus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fvault-ssh-plus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/isometry","download_url":"https://codeload.github.com/isometry/vault-ssh-plus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fvault-ssh-plus/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261296911,"owners_count":23137218,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ssh","ssh-certificates","vault"],"created_at":"2024-11-16T04:48:31.159Z","updated_at":"2026-04-02T19:04:18.450Z","avatar_url":"https://github.com/isometry.png","language":"Go","readme":"# vault-ssh-plus (vssh)\n\nAn enhanced implementation of [`vault ssh`](https://www.vaultproject.io/docs/commands/ssh), wrapping the OpenSSH `ssh` client to eliminate the management overhead of using of short-lived SSH client keys CA-signed by [@hashicorp Vault](https://www.vaultproject.io/).\n\n## Features\n\n* Support for all [`ssh(1)`](https://man.openbsd.org/ssh.1) capabilities, including:\n * non-filesystem private keys (e.g. `gpg-agent`, PKCS#11, etc.);\n * arbitrary [`ssh_config(5)`](https://man.openbsd.org/ssh_config.5) configuration (e.g. `Host` aliases and `Match` clauses);\n * `ControlMaster` connection sharing.\n* Automatic and transparent just-in-time delivery of short-lived, CA-signed, single-use `ssh` client keys.\n* Adherence to the Principal of Least Privilege: by default, signed keys only permit the specific extensions required for the `ssh` options given.\n* Automatic username mapping for Vault roles with a single, fixed entry in `allowed_users` (e.g. `root`, `jenkins`, `ansible`).\n* Significantly lower memory overhead than `vault ssh`.\n\n## Requirements\n\n* A [HashiCorp Vault](https://www.vaultproject.io/) instance configured for [SSH Client Key Signing](https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html#client-key-signing), access to an appropriate role, and an SSH server configured to trust the Vault CA.\n* An active Vault token (either in the `VAULT_TOKEN` environment variable, or – if the standard `vault` binary is available within `$PATH` – available from a Vault Token Helper). The `VAULT_ADDR` environment variable must also be set.\n* OpenSSH 7.2 or newer `ssh` client binary.\n\n## Usage\n\nIn addition to all the options accepted by [`ssh(1)`](https://man.openbsd.org/ssh.1), `vssh` accepts the following options:\n\n```console\n$ vssh --help\nUsage:\n vssh [options] destination [command]\n\nApplication Options:\n --mode=[sign|issue] Mode (default: issue) [$VAULT_SSH_MODE]\n --type=[rsa|ec|ed25519] Preferred key type (default: ed25519) [$VAULT_SSH_KEY_TYPE]\n --bits=[0|2048|3072|4096|256|384|521] Key bits for 'issue' mode (default: 0) [$VAULT_SSH_KEY_BITS]\n --path= Vault SSH mountpoint (default: ssh) [$VAULT_SSH_PATH]\n --role= Vault SSH role (default: \u003cssh-username\u003e) [$VAULT_SSH_ROLE]\n --ttl= Vault SSH certificate TTL (default: 300) [$VAULT_SSH_TTL]\n -P, --public-key= Path to preferred public key for 'sign' mode [$VAULT_SSH_PUBLIC_KEY]\n --version Show version\n\nCertificate Extensions:\n --default-extensions Disable automatic extension calculation and request signer-default extensions [$VAULT_SSH_DEFAULT_EXTENSIONS]\n --agent-forwarding Force permit-agent-forwarding extension [$VAULT_SSH_AGENT_FORWARDING]\n --port-forwarding Force permit-port-forwarding extension [$VAULT_SSH_PORT_FORWARDING]\n --no-pty Force disable permit-pty extension [$VAULT_SSH_NO_PTY]\n --user-rc Enable permit-user-rc extension [$VAULT_SSH_USER_RC]\n --x11-forwarding Force permit-X11-forwarding extension [$VAULT_SSH_X11_FORWARDING]\n\nHelp Options:\n -h, --help Show this help message\n```\n\nIf you need to override the [SSH Client Key Signing](https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html#client-key-signing) mountpoint or role, this is most easily achieved by setting the `VAULT_SSH_PATH` and `VAULT_SSH_ROLE` environment variables in your shell rc.\nIf your Vault SSH mountpoint isn't configured with a role matching the target SSH username, you *will* need to specify the Vault SSH role to use (e.g. `export VAULT_SSH_ROLE=self` or `vssh --role=self host` if you're using a role named `self` configured with templated `allowed_users`).\n\nIn `issue` mode (the default), the client will retrieve an ephemeral keypair from Vault, exposed to `ssh(1)` via an internal SSH agent.\n\nIn `sign` mode, the client will sign the public key specified, defaulting to the first key added into `ssh-agent(1)` (preferring the first of type matching `VAULT_SSH_KEY_TYPE`).\n\nThe certificate will be requested with only those extensions required for the current command (default `permit-pty` unless `-N` is specified). Additional extensions may be requested (e.g. to support expected future multiplexed connections) with the \"Certificate Extensions\" arguments, or the Vault role default extensions may be forced with `--default-extensions`.\n\n### Examples\n\nThe following will request that an existing ed25519 public key be signed by the Vault signer at `https://vault.example.com:8200/v1/ssh-client-signer/sign/default`, with (automatic) `permit-pty` and `permit-port-forwarding` extensions to support the connection to `host.example.com`:\n\n```console\n$ ssh-add ~/.ssh/id_ed25519\n$ export VAULT_ADDR=https://vault.example.com:8200\n$ export VAULT_SSH_PATH=ssh-client-signer\n$ export VAULT_SSH_ROLE=default\n$ export VAULT_SSH_MODE=sign\n$ vault login\n...\n$ vssh -L8080:localhost:80 host.example.com\n...\n```\n\nThe following will request that an ephemeral ecdsa keypair with a (default) 256-bit private key be generated by the Vault issuer at `https://vault.example.com/v1/ssh/issue/root`, and used to run the `id` command on `host2.example.com` as `root`:\n\n```console\n$ export VAULT_ADDR=https://vault.example.com\n$ export VAULT_SSH_KEY_TYPE=ec\n$ vault login\n...\n$ vssh root@host2.example.com id\nuid=0(root) gid=0(wheel) groups=0(wheel),5(operator)\n```\n\n## Installation\n\n### Manual\n\nDownload and extract the [latest release](https://github.com/isometry/vault-ssh-plus/releases/latest).\n\n### macOS\n\n```sh\nbrew install isometry/tap/vault-ssh-plus\n```\n\n### Ansible\n\nIf you've already installed my [release-from-github](https://github.com/isometry/ansible-role-release-from-github) role:\n\n```sh\nansible -m import_role -a name=release-from-github -e release_repo=isometry/vault-ssh-plus -e release_hashicorp_style=yes localhost\n```\n\n### Arch Linux\n\nvault-ssh-plus has been added to the AUR repository, and can be found at `https://aur.archlinux.org/packages/vault-ssh-plus-bin`. \nEither install via makepkg, or your favourite AUR helper.\n\n### Nix / NixOS\n\n`vault-ssh-plus` is available in [nixpkgs](https://github.com/NixOS/nixpkgs):\n\n```sh\nnix-env -iA nixpkgs.vault-ssh-plus\n```\n\n## Troubleshooting\n\nRefer to the [Vault Documentation](https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html#troubleshooting)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fisometry%2Fvault-ssh-plus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fisometry%2Fvault-ssh-plus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fisometry%2Fvault-ssh-plus/lists"}