Date: Fri, 29 Mar 2024 12:42:37 +0100 (CET) Message-ID: <1109655571.107.1711712557467@confluence> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_106_1614639048.1711712557464" ------=_Part_106_1614639048.1711712557464 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Since 2022, ISW is migrating to a more secure setup. Instead of sharing = passwords via a Password Manager, we now use Vault to create OTP or sign ss= h keys to give temporary access to a machine. This gives a lot security ben= efits, old members for example can no longer access those systems.
To see if the machine supports Vault login, go to the correct documentat=
ion page in the sysadm=
in documentation wiki. On the "Information" table you should see an ent=
ry which states the available Vault authentication methods. If a role=
is specified, you will need to use that role to login.
In this example, both OTP and SSH keys are supported. However you can on=
ly use the kubernetes
role when signing in.
This login method is the most complex, it uses an extra helper for PAM t= o see if a password should be allowed. You can generate a password that can= only be used once to login on the device.
More information is available at https://www.vaultproject.io/docs/secrets/ssh/one-time-ssh-passwords<= /a>.
To receive an OTP you will need to ask Vault,
vault w= rite ssh/creds/ROLE username=3DUSERNAME ip=3DIP_ADDRESS
You will receive an output which has a key
value. This is t=
he OTP. You can now SSH to the machine and use that password to login.
You can let Vault sign you in automatically, without a need to copy and = paste a password:
vault s= sh -role ROLE -mode otp USERNAME@IP_ADDRESS
More information is available at https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificate= s.