Documentation ¶
Index ¶
Constants ¶
const ( // TouchlessLabel is the label for touchless certificates. TouchlessLabel = ":notouch" // TouchLabel is the label for touch certificates. TouchLabel = ":touch" )
const CriticalOptionTouchlessSudoHosts = "touchless-sudo-hosts"
CriticalOptionTouchlessSudoHosts is a critical option in the cert to set a list of hosts with both touchless ssh and touchless sudo credentials valid.
Variables ¶
var TypeLabel = map[Type]string{ TouchSudoCert: "TouchSudo", TouchlessCert: "Touchless", TouchlessSudoCert: "TouchlessSudo", FirefighterCert: "FireFighterSudo", NonceCert: "Nonce", TouchlessInAgentCert: "TouchlessInAgent", TouchlessSudoInAgentCert: "TouchlessSudoInAgent", }
TypeLabel is the mapping from cert type to label.
Functions ¶
func GetPrincipals ¶
GetPrincipals returns the labeled principals based on the certificate type.
func Label ¶
func Label(cert *ssh.Certificate) (string, error)
Label returns the label to be attached to the certificate, based on keyid and certificate options.
func ValidateSSHCertTime ¶
func ValidateSSHCertTime(cert *ssh.Certificate, currentTime time.Time) bool
ValidateSSHCertTime returns true if the certificate is not expired at current time.
Types ¶
type Type ¶
type Type int
Type indicates the type of ssh cert provisioned by YSSHRA. Steps required to define a new kind of certificate, in that order: 1. Add the new CertType below 2. Update GetType() function to ensure we have a unique way to identify a certificate. As far as possible, it should rely *only* on keyid in the certificate to uniquely identify the certificate type 3. Rebuild client packages and ship them out 4. Make the changes on production to start issuing the certificates of new kind
const ( // UnknownCertType indicates that the type of certificate is unknown. UnknownCertType Type = iota // TouchSudoCert is the certificate which requires a touch for SSH and SUDO authentication. // TouchSudoCert's private key is backed in a smartcard. TouchSudoCert // TouchlessCert is the certificate which does not require a touch for SSH authentication. // TouchlessCert's private key is backed in a smartcard. // Note: TouchlessCert can be used for SUDO authentication by defining a touchless cert filter in PAM YSSHCA. TouchlessCert // TouchlessSudoCert is the certificate which does not require a touch for SSH or SUDO authentication on a set of hosts. // TouchlessSudoCert's private key is backed in a smartcard. TouchlessSudoCert // FirefighterCert is a touch certificate with longer validity for emergency use. // FirefighterCert's private key is backed in a smartcard. FirefighterCert // NonceCert is the certificate for one time authentication. It is used as a certificate based token. NonceCert // TouchlessInAgentCert is the certificate which does not require a touch for SSH authentication. // TouchlessInAgentCert's private key is backed in SSH-agent. // Note: TouchlessInAgentCert can be used for SUDO authentication by defining a customized cert filter in PAM YSSHCA. TouchlessInAgentCert // TouchlessSudoInAgentCert is the certificate which does not require a touch for SUDO authentication on a set of hosts. // TouchlessSudoInAgentCert's private key is backed in SSH-agent. TouchlessSudoInAgentCert )
func GetType ¶
func GetType(cert *ssh.Certificate) Type
GetType returns the certificate type based on different keyid and certificate options set by ysshra gensign.