Skip to content

feat(ssh): add HashiCorp Vault SSH signer authentication#912

Open
devdanetra wants to merge 1 commit into
Termix-SSH:mainfrom
Sphera-sa:claude/vigilant-mccarthy-77f908
Open

feat(ssh): add HashiCorp Vault SSH signer authentication#912
devdanetra wants to merge 1 commit into
Termix-SSH:mainfrom
Sphera-sa:claude/vigilant-mccarthy-77f908

Conversation

@devdanetra

@devdanetra devdanetra commented Jun 16, 2026

Copy link
Copy Markdown

Add a new "vault" authentication method where users authenticate to HashiCorp Vault via an interactive OIDC flow and Vault's SSH CA issues a short-lived certificate for an ephemeral keypair. No tokens, AppRole secrets, or long-lived private keys are ever stored.

  • vault_profiles: shareable, secret-free connection settings (Vault address/namespace, OIDC mount+role, SSH signer mount+role, principals, key type) with an admin-gated shared flag visible to all users.
  • vault_tokens: transient per-user cache of the ephemeral key + signed cert, encrypted under the user's DEK, valid only until cert expiry.
  • Interactive Vault OIDC flow mirroring OPKSSH: auth_url -> browser ->
    /vault/oidc/callback -> Vault token -> sign ephemeral key -> connect via the existing certificate-auth machinery.
  • Frontend: vault auth option + profile selector and inline profile manager in the host editor, plus the OIDC popup choreography.
  • Tests: unit coverage for keygen, certificate expiry parsing, and the Vault HTTP contract (mocked), plus a live-Vault integration test guarded by VAULT_ADDR/VAULT_TOKEN.

Overview

Short summary of what this PR does

  • Added: ...
  • Updated: ...
  • Removed: ...
  • Fixed: ...

Changes Made

Detailed explanation of changes (if needed)

  • ...

Related Issues

Link any issues this PR addresses

  • Closes #ISSUE_NUMBER
  • Related to #ISSUE_NUMBER

Screenshots / Demos

(Optional: add before/after screenshots, GIFs, or console output)

Checklist

  • Code follows project style guidelines
  • Supports mobile and desktop UI/app (if applicable)
  • I have read Contributing.md
  • This is not a translation request. See docs

@claude
feat(ssh): add HashiCorp Vault SSH signer authentication
715f377 
Add a new "vault" authentication method where users authenticate to
HashiCorp Vault via an interactive OIDC flow and Vault's SSH CA issues a
short-lived certificate for an ephemeral keypair. No tokens, AppRole
secrets, or long-lived private keys are ever stored.

- vault_profiles: shareable, secret-free connection settings (Vault
  address/namespace, OIDC mount+role, SSH signer mount+role, principals,
  key type) with an admin-gated `shared` flag visible to all users.
- vault_tokens: transient per-user cache of the ephemeral key + signed
  cert, encrypted under the user's DEK, valid only until cert expiry.
- Interactive Vault OIDC flow mirroring OPKSSH: auth_url -> browser ->
  /vault/oidc/callback -> Vault token -> sign ephemeral key -> connect
  via the existing certificate-auth machinery.
- Frontend: vault auth option + profile selector and inline profile
  manager in the host editor, plus the OIDC popup choreography.
- Tests: unit coverage for keygen, certificate expiry parsing, and the
  Vault HTTP contract (mocked), plus a live-Vault integration test
  guarded by VAULT_ADDR/VAULT_TOKEN.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@devdanetra