diff --git a/go/access/access.go b/go/access/access.go index 908b27fca0..7cff4440d9 100644 --- a/go/access/access.go +++ b/go/access/access.go @@ -12,6 +12,7 @@ import ( "net" "os" "os/exec" + "os/user" "path/filepath" "strings" "time" @@ -26,8 +27,29 @@ var ( vaultAddress = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault") sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault") sshRole = flag.String("ssh_role", "user", "SSH role") + sshPrincipal = flag.String("principal", currentUsername(), "principal to request in certificate") + + requirePresence = flag.Bool("require_presence", shouldRequirePresence(), "whether to require presence when using certificate") ) +func currentUsername() string { + // What's our principal? + u, err := user.Current() + if err != nil { + log.Fatalf("looking up current user: %v", err) + } + return u.Username +} + +func shouldRequirePresence() bool { + hn, err := os.Hostname() + if err != nil { + log.Fatalf("getting hostname: %v", err) + } + // WSL2 makes things hard. + return hn != "PORCOROSSO" +} + const ( sshAgentComment = "vault certificate" ) @@ -222,7 +244,8 @@ func main() { // Sign the key. vssh := vaultClient.SSHWithMountPoint(*sshMountPoint) sec, err := vssh.SignKey(*sshRole, map[string]interface{}{ - "public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)), + "public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)), + "valid_principals": *sshPrincipal, }) if err != nil { log.Fatalf("signing SSH key: %v", err) @@ -245,7 +268,7 @@ func main() { Certificate: signedCert, Comment: sshAgentComment, LifetimeSecs: uint32(certLifetime.Seconds()), - ConfirmBeforeUse: true, + ConfirmBeforeUse: *requirePresence, }); err != nil { log.Fatalf("adding key to agent: %w", err) }