Devolutions ForumDevolutions Forum

Hashicorp Vault with SSH connexion

Backlog

Hashicorp Vault with SSH connexion

0 vote

avatar
Joffrey

Hi,

Actually, if I want to create a SSH entry with credentials from my Hashicorp Vault, I need 2 entries:

  • One for my Hashicorp Vault link to my KV engine secret
  • One for my SSH access with credentials linked to my previous entry


Do you plan to add a tab on the SSH entry for Hashicorp Vault ? Like the tab for private key.

Thanks you

All Comments (5)

avatar
Hubert Mireault

Hello,

As you mention, you need at least one Hashicorp entry and one SSH entry to be able to do what you want. The improvement you suggest isn't something that would fit in well with how RDM works.

What you could do though, to avoid needing to make one Hashicorp entry per SSH entry, is to use the "dynamic credential linking" feature, which is supported with this credential. For more information on the feature, you can look at our help topic: https://help.remotedesktopmanager.com/credentials_dynamiccredentiallinking.html
The end result will be that you will only need to create one Hashicorp entry, and can then make all of your SSH entries refer to it, while still using different credentials for each of your SSH hosts.

Hopefully this helps you make better use of RDM!

Regards,

Hubert Mireault

avatar
Joffrey

thanks you ! Good idea !!

Another question, does it supper AD engine ? For password rotation ?

avatar
Hubert Mireault

Hello,

Glad this works for you 🙂

As for password rotation, our current integration with Hashicorp Vault does not do any password rotation. I assume if you have Hashicorp configured to perform periodic password rotations, it shouldn't cause any issues with our integration.
Basically, the only things RDM does is:

  • Connect to Hashicorp
  • List the credentials from Hashicorp
  • Fetch the data from the selected credential (username/domain/password)


Regards,

Hubert Mireault

avatar
Joffrey

I understand what you say, but no.
RDM lists only secrets "kv" type, not "active directory" type.

Basicaly, it's identical, you just list and read. In cli, you need:

  • list roles from AD engine: "vault list ad/ (ad is the path)
  • read credential from a role: "vault read ad/creds/testuser" (at this moment, vault decide to rotate password or not) and get keys "username and current_password"


In kv engine, is a little differnet:

  • list path: "vault kv list secret/"
  • list next path: "vault kv list secret/mypath/ ...."
  • read key: vault kv read secret/mypath/mydata"
avatar
Hubert Mireault

Hello,

Thanks for the detailed explanation 🙂 Indeed at the moment we don't support this, but I'll open a ticket so we can look into adding it.

Regards,

Hubert Mireault