go/access: set principal name, set presence required by host
This commit is contained in:
parent
3a32590571
commit
f5d66318a3
1 changed files with 25 additions and 2 deletions
|
@ -12,6 +12,7 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
"os/user"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
@ -26,8 +27,29 @@ var (
|
||||||
vaultAddress = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault")
|
vaultAddress = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault")
|
||||||
sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault")
|
sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault")
|
||||||
sshRole = flag.String("ssh_role", "user", "SSH role")
|
sshRole = flag.String("ssh_role", "user", "SSH role")
|
||||||
|
sshPrincipal = flag.String("principal", currentUsername(), "principal to request in certificate")
|
||||||
|
|
||||||
|
requirePresence = flag.Bool("require_presence", shouldRequirePresence(), "whether to require presence when using certificate")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func currentUsername() string {
|
||||||
|
// What's our principal?
|
||||||
|
u, err := user.Current()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalf("looking up current user: %v", err)
|
||||||
|
}
|
||||||
|
return u.Username
|
||||||
|
}
|
||||||
|
|
||||||
|
func shouldRequirePresence() bool {
|
||||||
|
hn, err := os.Hostname()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalf("getting hostname: %v", err)
|
||||||
|
}
|
||||||
|
// WSL2 makes things hard.
|
||||||
|
return hn != "PORCOROSSO"
|
||||||
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
sshAgentComment = "vault certificate"
|
sshAgentComment = "vault certificate"
|
||||||
)
|
)
|
||||||
|
@ -222,7 +244,8 @@ func main() {
|
||||||
// Sign the key.
|
// Sign the key.
|
||||||
vssh := vaultClient.SSHWithMountPoint(*sshMountPoint)
|
vssh := vaultClient.SSHWithMountPoint(*sshMountPoint)
|
||||||
sec, err := vssh.SignKey(*sshRole, map[string]interface{}{
|
sec, err := vssh.SignKey(*sshRole, map[string]interface{}{
|
||||||
"public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)),
|
"public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)),
|
||||||
|
"valid_principals": *sshPrincipal,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("signing SSH key: %v", err)
|
log.Fatalf("signing SSH key: %v", err)
|
||||||
|
@ -245,7 +268,7 @@ func main() {
|
||||||
Certificate: signedCert,
|
Certificate: signedCert,
|
||||||
Comment: sshAgentComment,
|
Comment: sshAgentComment,
|
||||||
LifetimeSecs: uint32(certLifetime.Seconds()),
|
LifetimeSecs: uint32(certLifetime.Seconds()),
|
||||||
ConfirmBeforeUse: true,
|
ConfirmBeforeUse: *requirePresence,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
log.Fatalf("adding key to agent: %w", err)
|
log.Fatalf("adding key to agent: %w", err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue