Deprecated Dynamic Key Type for ssh secret backend likely doesn't work.

[jacobcase]

Using the latest vault commit as of this bug report.

I also posted in IRC. The Dynamic Key Type for the ssh secret backend is deprecated and has various security issues as made clear in the docs, including lacking host key verification. However, I suspect it doesn't even work, though I haven't had time to test.

In the ssh crypto library in vendor, the changes as of commit 7902612 on March 30th include the fix for CVE-2017-3204. That fix requires you to explicitly set the HostKeyCallback in the SSH config, but in the ssh config generated in builtin/logical/ssh/util.go, this value is not set, and unless it's explicitly set, the default behavior of the ssh client is to immediately close the connection.

It might be good to remove this feature entirely since it's insecure, and likely doesn't work anymore. I haven't had time to test definitively.

[jefferai]

We don't use a CertChecker object so I don't believe this affects us and the documentation is correct. If you test it and it doesn't work, feel free to re-open.

[nyxcharon]

Upgrading vault to 0.7.2 it does look to be broken:

$ vault ssh -role dynamic_key_role user@IP
Error getting key for SSH session: Error making API request.

URL: PUT https://vault.example.com/v1/ssh/creds/dynamic_key_role
Code: 500. Errors:

* 1 error occurred:

* failed to add public key to authorized_keys file in target: ssh: must specify HostKeyCallback

[jefferai]

@vishalnayak when you get time please