5d17f9b142
* Add ability to clean up host keys for dynamic keys This adds a new endpoint, tidy/dynamic-keys that removes any stale host keys still present on the mount. This does not clean up any pending dynamic key leases and will not remove these keys from systems with authorized hosts entries created by Vault. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add documentation Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
126 lines
2.7 KiB
Go
126 lines
2.7 KiB
Go
package ssh
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/salt"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
type backend struct {
|
|
*framework.Backend
|
|
view logical.Storage
|
|
salt *salt.Salt
|
|
saltMutex sync.RWMutex
|
|
}
|
|
|
|
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
|
|
b, err := Backend(conf)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err := b.Setup(ctx, conf); err != nil {
|
|
return nil, err
|
|
}
|
|
return b, nil
|
|
}
|
|
|
|
func Backend(conf *logical.BackendConfig) (*backend, error) {
|
|
var b backend
|
|
b.view = conf.StorageView
|
|
b.Backend = &framework.Backend{
|
|
Help: strings.TrimSpace(backendHelp),
|
|
|
|
PathsSpecial: &logical.Paths{
|
|
Unauthenticated: []string{
|
|
"verify",
|
|
"public_key",
|
|
},
|
|
|
|
LocalStorage: []string{
|
|
"otp/",
|
|
},
|
|
|
|
SealWrapStorage: []string{
|
|
caPrivateKey,
|
|
caPrivateKeyStoragePath,
|
|
keysStoragePrefix,
|
|
},
|
|
},
|
|
|
|
Paths: []*framework.Path{
|
|
pathConfigZeroAddress(&b),
|
|
pathListRoles(&b),
|
|
pathRoles(&b),
|
|
pathCredsCreate(&b),
|
|
pathLookup(&b),
|
|
pathVerify(&b),
|
|
pathConfigCA(&b),
|
|
pathSign(&b),
|
|
pathIssue(&b),
|
|
pathFetchPublicKey(&b),
|
|
pathCleanupKeys(&b),
|
|
},
|
|
|
|
Secrets: []*framework.Secret{
|
|
secretOTP(&b),
|
|
},
|
|
|
|
Invalidate: b.invalidate,
|
|
BackendType: logical.TypeLogical,
|
|
}
|
|
return &b, nil
|
|
}
|
|
|
|
func (b *backend) Salt(ctx context.Context) (*salt.Salt, error) {
|
|
b.saltMutex.RLock()
|
|
if b.salt != nil {
|
|
defer b.saltMutex.RUnlock()
|
|
return b.salt, nil
|
|
}
|
|
b.saltMutex.RUnlock()
|
|
b.saltMutex.Lock()
|
|
defer b.saltMutex.Unlock()
|
|
if b.salt != nil {
|
|
return b.salt, nil
|
|
}
|
|
salt, err := salt.NewSalt(ctx, b.view, &salt.Config{
|
|
HashFunc: salt.SHA256Hash,
|
|
Location: salt.DefaultLocation,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
b.salt = salt
|
|
return salt, nil
|
|
}
|
|
|
|
func (b *backend) invalidate(_ context.Context, key string) {
|
|
switch key {
|
|
case salt.DefaultLocation:
|
|
b.saltMutex.Lock()
|
|
defer b.saltMutex.Unlock()
|
|
b.salt = nil
|
|
}
|
|
}
|
|
|
|
const backendHelp = `
|
|
The SSH backend generates credentials allowing clients to establish SSH
|
|
connections to remote hosts.
|
|
|
|
There are two variants of the backend, which generate different types of
|
|
credentials: One-Time Passwords (OTPs) and certificate authority. The desired behavior
|
|
is role-specific and chosen at role creation time with the 'key_type'
|
|
parameter.
|
|
|
|
Please see the backend documentation for a thorough description of both
|
|
types. The Vault team strongly recommends the OTP type.
|
|
|
|
After mounting this backend, before generating credentials, configure the
|
|
backend's lease behavior using the 'config/lease' endpoint and create roles
|
|
using the 'roles/' endpoint.
|
|
`
|