Commit graph

51 commits

Author SHA1 Message Date
Seth Vargo ec9e187ce4 Thread stderr through too (#3211)
* Thread stderr through too

* Small docs typo
2017-08-21 17:23:29 -04:00
Seth Vargo 51d8e5ff86 Do not revoke SSH key (#3208)
There is no secret to revoke - this produces an error on the CLI
2017-08-18 15:44:20 -04:00
Seth Vargo 2e3a9ebd06
Add host key checking for SSH CA 2017-08-18 12:59:09 -04:00
Seth Vargo 89cffaf25e
Revoke temporary cred after creation, update warning
/cc @vishalnayak
2017-08-18 12:59:09 -04:00
Seth Vargo 430fc22023
Initial pass at SSH CLI CA type authentication
1. The current implementation of the SSH command is heavily tied to the
assumptions of OTP/dynamic key types. The SSH CA backend is
fundamentally a different approach to login and authentication. As a
result, there was some restructuring of existing methods to share more
code and state.

2. Each authentication method (ca, otp, dynamic) are now fully-contained
in their own handle* function.

3. -mode and -role are going to be required for SSH CA, and I don't
think the magical UX (and overhead) of guessing them is a good UX. It's
confusing as to which role and how Vault guesses. We can reduce 66% of
the API calls and add more declaration to the CLI by making -mode and
-role required. This commit adds warnings for that deprecation, but
these values are both required for CA type authentication.

4. The principal and extensions are currently fixed, and I personally
believe that's good enough for the first pass at this. Until we
understand what configuration options users will want, I think we should
ship with all the local extensions enabled. Users who don't want that
can generate the key themselves directly (current behavior) or submit
PRs to make the map of extensions customizable.

5. Host key checking for the CA backend is not currently implemented.
It's not strictly required at setup, so I need to think about whether it
belongs here.

This is not ready for merge, but it's ready for early review.
2017-08-18 12:59:08 -04:00
Seth Vargo f8922bf674 Update help output (spaces instead of tabs) (#3178) 2017-08-15 21:21:30 -04:00
Seth Vargo c1e6e0bdf2 Use SSHPASS envvar instead of -p for sshpass (#3177)
From the sshpass manpage:

> The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

This PR changes the sshpass behavior to execute a subprocess with the
SSHPASS envvar (which is generally regarded as more secure) than using
the -p option.
2017-08-15 19:43:39 -04:00
Jeff Mitchell a8d64c5721 Add some minor tweaks to the PR 2017-04-04 12:22:14 -04:00
Greg Parris ad9546104b Typo corrections and tweaks to commands' help info
* Normalize "X arguments expected" messages
* Use "Vault" when referring to the product and "vault" when referring to an instance of the product
* Various minor tweaks to improve readability and/or provide clarity
2017-03-25 12:51:12 -05:00
vishalnayak 931c96d1ba ssh: Use temporary file to store the identity file 2016-10-18 12:50:12 -04:00
vishalnayak e029d3c87a Support execution of remote commands using 'vault ssh' 2016-08-01 14:53:00 -04:00
vishalnayak 4c08d43950 Address review feedback 2016-06-01 11:39:48 -04:00
vishalnayak 8d50543a88 Supplying strictHostKeyChecking and userKnownHostsFile from env vars 2016-06-01 11:08:24 -04:00
vishalnayak 315f9c868c Provide option to disable host key checking 2016-06-01 11:08:24 -04:00
vishalnayak ff6f5ae75b Add a non-nil check for 'port' field to be present in the response 2016-05-25 21:26:32 +00:00
Jeff Mitchell 199f99d031 Decode json.Number before handing to mapstructure 2016-05-25 19:02:31 +00:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Jeff Mitchell 1b7335cf4e Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 16:50:12 -04:00
Jeff Mitchell 133d9c1008 Move meta into its own package 2016-04-01 13:16:05 -04:00
Vishal Nayak 597ba98895 Merge pull request #1099 from hashicorp/fix-ssh-cli
ssh: use resolved IP address while executing ssh command
2016-02-19 13:02:34 -05:00
Jeff Mitchell 28857cb419 Fix mixed whitespacing in ssh help text 2016-02-19 12:47:58 -05:00
vishalnayak bccbf2b87e ssh: use resolved IP address while executing ssh command 2016-02-19 12:19:10 -05:00
Wesley Merkel 5a368fa9de Stop panic when vault ssh username fetching fails 2015-12-26 15:09:07 -07:00
vishalnayak 5063a0608b Vault SSH: Default CIDR for roles 2015-08-27 13:04:15 -04:00
vishalnayak 251cd997ad Vault SSH: TLS client creation test 2015-08-18 19:00:27 -07:00
vishalnayak b91ebbc6e2 Vault SSH: Documentation update and minor refactoring changes. 2015-08-17 18:22:03 -07:00
vishalnayak 9db318fc55 Vault SSH: Website page for SSH backend 2015-08-14 12:41:26 -07:00
vishalnayak 7f9babed2a Vault SSH: CLI embellishments 2015-08-13 16:55:47 -07:00
vishalnayak e782717ba8 Vault SSH: Renamed path with mountPoint 2015-08-12 10:30:50 -07:00
vishalnayak 33d7ef71b9 Vault SSH: Fixed constructor of SSH api 2015-08-12 09:56:17 -07:00
vishalnayak 32502977f6 Vault SSH: Automate OTP typing if sshpass is installed 2015-08-06 17:00:50 -04:00
vishalnayak 0af97b8291 Vault SSH: uninstall dynamic keys using script 2015-08-06 15:50:12 -04:00
vishalnayak 61c9f884a4 Vault SSH: Review Rework 2015-07-29 14:21:36 -04:00
Vishal Nayak 4b4df4271d Vault SSH: Refactoring 2015-07-27 16:42:03 -04:00
Vishal Nayak 791a250732 Vault SSH: Support OTP key type from CLI 2015-07-23 17:20:28 -04:00
Vishal Nayak 3c7dd8611c Vault SSH: Test case skeleton 2015-07-10 09:56:14 -06:00
Vishal Nayak 73414154f8 Vault SSH: Made port number configurable 2015-07-06 16:56:45 -04:00
Vishal Nayak 170dae7f91 Vault SSH: Revoking key after SSH session from CLI 2015-07-06 11:05:02 -04:00
Vishal Nayak 425b69be32 Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 19:52:47 -04:00
Vishal Nayak a1e2705173 Vault SSH: PR review rework 2015-07-02 17:23:09 -04:00
Vishal Nayak bb16052141 Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-01 20:35:11 -04:00
Vishal Nayak d691a95531 Vault SSH: PR review rework - 1 2015-07-01 11:58:49 -04:00
Vishal Nayak 91ed2dcdc2 Refactoring changes 2015-06-29 22:00:08 -04:00
Vishal Nayak 29696d4b6b Creating SSH keys and removal of files in pure 'go' 2015-06-26 15:43:27 -04:00
Vishal Nayak 8c15e2313b ssh/lookup implementation and refactoring 2015-06-25 21:47:32 -04:00
Vishal Nayak b237a3bcc2 POC: Rework. Doing away with policy file. 2015-06-24 18:13:12 -04:00
Vishal Nayak f8d164f477 SSHs to multiple users by registering the respective host keys 2015-06-19 12:59:36 -04:00
Vishal Nayak 8d98968a54 Roles, key renewal handled. End-to-end basic flow working. 2015-06-18 20:48:41 -04:00
Vishal Nayak 2aed5f8798 Implementation for storing and deleting the host information in Vault 2015-06-17 22:10:47 -04:00
Vishal Nayak 303a7cef9a Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-17 20:33:03 -04:00