一键导入
vault-ssh-keys
Manage per-host SSH keypair lifecycle in Vault under kv/network/hosts/<host>/users/<user>/ssh/<consumer> — generate, store, read, rotate, retire
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Manage per-host SSH keypair lifecycle in Vault under kv/network/hosts/<host>/users/<user>/ssh/<consumer> — generate, store, read, rotate, retire
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Vault health dashboard — seal status, auth methods, engines, policies, leader, audit devices
Manage per-host user account credentials in Vault under kv/network/hosts/<host>/users/<user>/{_meta,password,ssh/<consumer>} — user-centric, multi-credential, multi-consumer layout
Live test all 28 Vault MCP tools against a real Vault instance, report results
Interactive Vault secret CRUD — read, write, list, delete, undelete, destroy with path navigation
| name | vault-ssh-keys |
| description | Manage per-host SSH keypair lifecycle in Vault under kv/network/hosts/<host>/users/<user>/ssh/<consumer> — generate, store, read, rotate, retire |
| command | /vault-ssh-keys |
| auto_invoke | false |
Interactive workflow for generating, storing, and rotating SSH keypairs used by agents or services ("consumers") to reach managed hosts. Each keypair belongs to a specific (host, user, consumer) triple, so the same host user can have multiple distinct keys for multiple consumers.
SSH keypairs live under the host-users subtree (see the vault-host-users skill for the full layout):
kv/data/network/hosts/<host>/users/<user>/ssh/<consumer>
<host> — short, stable hostname (host01, fw-primary) — not FQDN, not IP<user> — local login name on that host (admin, opsuser, root)<consumer> — the agent or service that owns the key (example-agent, ansible, human:<handle>)users/<user>/ssh/?_meta record holds an authorized_keys[] inventory array for drift detectionEvery entry at kv/data/network/hosts/<host>/users/<user>/ssh/<consumer> has these fields:
| Field | Type | Required | Description |
|---|---|---|---|
consumer | string | ✅ | Matches the path segment — redundant but convenient |
private_key | string | ✅ | OpenSSH private key (PEM), complete with header/footer |
public_key | string | ✅ | OpenSSH public key (ssh-<type> <base64> <comment>) |
fingerprint | string | ✅ | SHA256:<base64> (from ssh-keygen -lf) |
key_type | enum | ✅ | ed25519 (preferred) | rsa | ecdsa |
local_cache_path | string | optional | e.g. ~/.secrets/ssh/<host>_<consumer> (bootstrap cache) |
rotated_at | ISO-8601 UTC | ✅ | Timestamp of current version |
rotated_by | string | ✅ | Who/what rotated it (<actor>@<workstation>, human handle, agent name) |
rotation_reason | enum | ✅ | initial-bootstrap | scheduled-rotation | compromise | key-loss | policy-upgrade |
Never store passphrases in this record. Keys in Vault are considered encrypted-at-rest by Vault itself; if an additional passphrase layer is required, that is a separate threat model and should be covered by its own design document.
vault_secret_read path=network/hosts/<host>/users/<user>/ssh/<consumer>
Extract only public_key / fingerprint / key_type / rotated_at / rotated_by / rotation_reason for display. Never print private_key.
ssh-keygen -t ed25519 -N '' -C "<consumer>@<host>:<iso-ts>" -f <local-path>
chmod 600 <local-path>ssh-keygen -lf <local-path>.pubvault_secret_write path=network/hosts/<host>/users/<user>/ssh/<consumer> with the full payload and rotation_reason: initial-bootstrappublic_key on the target host as an entry in the corresponding user's ~/.ssh/authorized_keys (for appliances: via Web UI)_meta.authorized_keys[] inventory (see vault-host-users)_meta.authorized_keys[]_meta.authorized_keys[]vault_secret_write with new data + rotation_reason: scheduled-rotation (or compromise if forced)vault_secret_metadata for auditvault_secret_destroy the old versionauthorized_keys (leave other consumers' keys intact)_meta.authorized_keys[]vault_secret_delete path=network/hosts/<host>/users/<user>/ssh/<consumer> (soft — recoverable)vault_secret_destroy (permanent)vault_secret_list path=network/hosts/<host>/users/<user>/ssh/
vault_secret_list path=network/hosts/
vault_secret_readvault_secret_writevault_secret_listvault_secret_metadatavault_secret_deletevault_secret_destroy (rotation cleanup, requires explicit confirmation)private_key in conversation, logs, commit messages, or tool-call arguments. When reading, filter output to public_key / fingerprint only unless the user explicitly asks to re-extract the private key to a local file.rotated_by + rotation_reason — they are the audit trail.compromise rotation reason implies an incident; flag it to the user and recommend opening a tracking issue before proceeding.initial-bootstrap MUST also be stored locally at a mode-600 cache path outside any git repository (e.g. ~/.secrets/ssh/<host>_<consumer>) so the bootstrap process can run before mcp-vault is available. After bootstrap, the Vault copy is the source of truth — the local file is a cache that can be re-derived via vault_secret_read.authorized_keys[] cross-check: after any write or rotation, verify that _meta.authorized_keys[] (from vault-host-users) contains a matching entry with the same fingerprint. If they diverge, stop and alert the user.User: bootstrap an SSH key for <host>/<user> for <consumer>
Agent:
1. ssh-keygen -t ed25519 -N '' -C "<consumer>@<host>:<iso-ts>" -f ~/.secrets/ssh/<host>_<consumer>
2. chmod 600 ~/.secrets/ssh/<host>_<consumer>
3. ssh-keygen -lf ~/.secrets/ssh/<host>_<consumer>.pub
→ 256 SHA256:<base64> <consumer>@<host>:<iso-ts> (ED25519)
4. vault_secret_write path=network/hosts/<host>/users/<user>/ssh/<consumer> data={
consumer: "<consumer>",
private_key: <file contents, piped via stdin>,
public_key: <file contents>,
fingerprint: "SHA256:<base64>",
key_type: "ed25519",
local_cache_path: "~/.secrets/ssh/<host>_<consumer>",
rotated_at: "<iso-ts>",
rotated_by: "<actor>@<workstation> (<consumer>-ssh bootstrap)",
rotation_reason: "initial-bootstrap"
}
5. Print pubkey to user for manual installation in <user>'s ~/.ssh/authorized_keys on <host>
6. After install, append to _meta.authorized_keys[] (via vault-host-users skill)
7. Verify with: vault_secret_read path=network/hosts/<host>/users/<user>/ssh/<consumer>
(show only metadata + pubkey, never private_key)
vault-host-users — the parent layout, including _meta.authorized_keys[] inventoryvault-secret-management — generic KV v2 CRUD