diff --git a/api/ssh.go b/api/ssh.go index 1fc282924..7c3e56bb4 100644 --- a/api/ssh.go +++ b/api/ssh.go @@ -10,7 +10,7 @@ type SSH struct { // SSH returns the client for logical-backend API calls. func (c *Client) SSH() *SSH { - return c.SSHWithMountPoint(SSHAgentDefaultMountPoint) + return c.SSHWithMountPoint(SSHHelperDefaultMountPoint) } // SSHWithMountPoint returns the client with specific SSH mount point. diff --git a/api/ssh_agent.go b/api/ssh_agent.go index 57306a647..898251f27 100644 --- a/api/ssh_agent.go +++ b/api/ssh_agent.go @@ -14,19 +14,19 @@ import ( const ( // Default path at which SSH backend will be mounted in Vault server - SSHAgentDefaultMountPoint = "ssh" + SSHHelperDefaultMountPoint = "ssh" - // Echo request message sent as OTP by the agent + // Echo request message sent as OTP by the ssh-helper VerifyEchoRequest = "verify-echo-request" // Echo response message sent as a response to OTP matching echo request VerifyEchoResponse = "verify-echo-response" ) -// SSHAgent is a structure representing an SSH agent which can talk to vault server +// SSHHelper is a structure representing a ssh-helper which can talk to vault server // in order to verify the OTP entered by the user. It contains the path at which // SSH backend is mounted at the server. -type SSHAgent struct { +type SSHHelper struct { c *Client MountPoint string } @@ -45,21 +45,20 @@ type SSHVerifyResponse struct { IP string `mapstructure:"ip"` } -// SSHAgentConfig is a structure which represents the entries from the agent's configuration file. -type SSHAgentConfig struct { +// SSHHelperConfig is a structure which represents the entries from the ssh-helper's configuration file. +type SSHHelperConfig struct { VaultAddr string `hcl:"vault_addr"` SSHMountPoint string `hcl:"ssh_mount_point"` CACert string `hcl:"ca_cert"` CAPath string `hcl:"ca_path"` - TLSSkipVerify bool `hcl:"tls_skip_verify"` AllowedCidrList string `hcl:"allowed_cidr_list"` } // TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given // certificate pool. -func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) { +func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) { tlsConfig := &tls.Config{ - InsecureSkipVerify: c.TLSSkipVerify, + InsecureSkipVerify: true, MinVersion: tls.VersionTLS12, RootCAs: certPool, } @@ -70,10 +69,10 @@ func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.C } // NewClient returns a new client for the configuration. This client will be used by the -// SSH agent to communicate with Vault server and verify the OTP entered by user. +// ssh-helper to communicate with Vault server and verify the OTP entered by user. // If the configuration supplies Vault SSL certificates, then the client will // have TLS configured in its transport. -func (c *SSHAgentConfig) NewClient() (*Client, error) { +func (c *SSHHelperConfig) NewClient() (*Client, error) { // Creating a default client configuration for communicating with vault server. clientConfig := DefaultConfig() @@ -81,7 +80,7 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) { clientConfig.Address = c.VaultAddr // Check if certificates are provided via config file. - if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify { + if c.CACert != "" || c.CAPath != "" { var certPool *x509.CertPool var err error if c.CACert != "" { @@ -106,13 +105,13 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) { return client, nil } -// LoadSSHAgentConfig loads agent's configuration from the file and populates the corresponding +// LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding // in-memory structure. // // Vault address is a required parameter. // Mount point defaults to "ssh". -func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) { - var config SSHAgentConfig +func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error) { + var config SSHHelperConfig contents, err := ioutil.ReadFile(path) if !os.IsNotExist(err) { obj, err := hcl.Parse(string(contents)) @@ -131,22 +130,22 @@ func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) { return nil, fmt.Errorf("config missing vault_addr") } if config.SSHMountPoint == "" { - config.SSHMountPoint = SSHAgentDefaultMountPoint + config.SSHMountPoint = SSHHelperDefaultMountPoint } return &config, nil } -// SSHAgent creates an SSHAgent object which can talk to Vault server with SSH backend +// SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend // mounted at default path ("ssh"). -func (c *Client) SSHAgent() *SSHAgent { - return c.SSHAgentWithMountPoint(SSHAgentDefaultMountPoint) +func (c *Client) SSHHelper() *SSHHelper { + return c.SSHHelperWithMountPoint(SSHHelperDefaultMountPoint) } -// SSHAgentWithMountPoint creates an SSHAgent object which can talk to Vault server with SSH backend +// SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend // mounted at a specific mount point. -func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent { - return &SSHAgent{ +func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper { + return &SSHHelper{ c: c, MountPoint: mountPoint, } @@ -155,9 +154,9 @@ func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent { // Verify verifies if the key provided by user is present in Vault server. The response // will contain the IP address and username associated with the OTP. In case the // OTP matches the echo request message, instead of searching an entry for the OTP, -// an echo response message is returned. This feature is used by agent to verify if +// an echo response message is returned. This feature is used by ssh-helper to verify if // its configured correctly. -func (c *SSHAgent) Verify(otp string) (*SSHVerifyResponse, error) { +func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error) { data := map[string]interface{}{ "otp": otp, }