Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • vhsm auth enable
  • vhsm auth disable
  • vhsm auth list
  • vhsm auth tune
  • vhsm auth help

Was this helpful?

  1. vHSM CLI
  2. Authentication and Authorization

vhsm auth

Learn to manage authentication methods for vHSM server.

The auth command in vHSM provides a set of subcommands for managing authentication methods. Users can enable, disable, list, and tune authentication methods.

Note: This command is for managing authentication methods, not for authenticating users or machines. To authenticate, use the vhsm login command instead.

For further details, refer to the authentication concepts and auth method documentation.

Usage

vhsm auth <subcommand> [options] [args]

Available Subcommands

Subcommand
Description

Enables a new auth method

Disables an auth method

Lists enabled auth methods

Tunes an auth method configuration

Prints usage details for an auth method


vhsm auth enable

The enable subcommand enables an authentication method at a specified path. If the auth method already exists at the path, an error is returned. Configuration of the auth method is required post-enablement.

Usage

vhsm auth enable <auth-method>

Example

Enable the userpass authentication method:

vhsm auth enable -description="This is a user password method" userpass

Output

Success! Enabled userpass auth method at: userpass/

Options

Flag
Type
Description

-allowed-response-headers

string

Response header values that the auth method will be allowed to set. Multiple keys may be specified by providing this option multiple times.

-audit-non-hmac-request-keys

string

Key that will not be HMAC'd by audit devices in the request data object. Multiple keys may be specified.

-audit-non-hmac-response-keys

string

Key that will not be HMAC'd by audit devices in the response data object. Multiple keys may be specified.

-default-lease-ttl

duration

The default lease TTL for this auth method. Defaults to the vHSM server's global default lease TTL if unspecified.

-description

string

Specifies the description of the auth method. Overrides the current stored value, if any.

-listing-visibility

string

Toggles whether to show the mount in the UI listing. Valid values: "unauth" or "hidden". An empty string keeps the current setting unchanged.

-max-lease-ttl

duration

The maximum lease TTL for this auth method. Defaults to the global maximum lease TTL unless specified. Can override the server’s global max TTL.

-passthrough-request-headers

string

Request header values that will be sent to the auth method. Multiple keys may be specified.

-token-type

string

Specifies the type of tokens that should be returned by the auth method.

-plugin-version

string

Configures the semantic version of the plugin to use. The new version takes effect only after the mount is reloaded.

-user-lockout-threshold

string

Number of failed login attempts after which the user is locked out.

-user-lockout-duration

duration

Duration for which a user will be locked out.

-user-lockout-counter-reset-duration

duration

Duration after which the lockout counter is reset if there are no failed login attempts.

-user-lockout-disable

bool

If set to true, disables the user lockout feature.

vhsm auth disable

The disable subcommand removes an authentication method at a specified path. All access tokens associated with the disabled method are immediately revoked.

Usage

vhsm auth disable <path>

Example

Disable the userpass authentication method:

vhsm auth disable userpass

Output

Success! Disabled the auth method (if it existed) at: userpass/

vhsm auth list

The list subcommand displays all enabled authentication methods.

Usage

vhsm auth list [options]

Example

List enabled authentication methods:

vhsm auth list

Output

Path         Type        Accessor                  Description                       Version
----         ----        --------                  -----------                       -------
token/       token       auth_token_57118dd8       token based credentials           n/a
userpass/    userpass    auth_userpass_a07fb2b4    This is a user password method    n/a

List detailed information:

vhsm auth list -detailed

Options

Flag
Description

-format=<format>

Output format: table, json, or yaml.

-detailed

Displays additional configuration details.


vhsm auth tune

The tune subcommand adjusts the configuration of an authentication method at a given path.

Usage

vhsm auth tune [options] <path>

Example

Set the default lease TTL to 30 minutes for userpass:

vhsm auth tune -max-lease-ttl=30m userpass

Output

Success! Tuned the auth method at: userpass/

Options

Flag
Type
Description

-default-lease-ttl

duration

Sets the default lease TTL.

-max-lease-ttl

duration

Defines the maximum lease duration.

-audit-non-hmac-request-keys

key

Excludes specified request keys from HMAC auditing.

-token-type

string

Defines the type of tokens issued.

-user-lockout-threshold

int

Specifies the number of failed login attempts before user lockout.

-user-lockout-duration

duration

Defines how long a user remains locked out.


vhsm auth help

The help subcommand provides usage details for a specified authentication method.

Usage

vhsm auth help <auth-method>

Example

Get help for the userpass authentication method:

vhsm auth help userpass

Output

Usage: vhsm login -method=userpass [CONFIG K=V...]

  The userpass auth method allows users to authenticate using vHSM's
  internal user database.

  Authenticate as "sally":

      $ vhsm login -method=userpass username=sally
      Password (will be hidden):

  Authenticate as "bob":

      $ vhsm login -method=userpass username=bob password=password

Configuration:

  password=<string>
      Password to use for authentication. If not provided, the CLI will prompt
      for this on stdin.

  username=<string>
      Username to use for authentication.

Previousvhsm loginNextvhsm token

Last updated 2 months ago

Was this helpful?

enable
disable
list
tune
help