Add support for SSH CAs (#1098)
- Accept certs signed by trusted CAs - Username must match the cert principal if set - Any username can be used if cert principal is empty - Don't allow removed pubkeys/CAs to be used after reload
This commit is contained in:
John Maguire
GitHub
parent
9cd944d320
commit
f31bab5f1a
3 changed files with 74 additions and 25 deletions
13
ssh.go
13
ssh.go
|
|
@ -115,6 +115,19 @@ func configSSH(l *logrus.Logger, ssh *sshd.SSHServer, c *config.C) (func(), erro
|
|||
return nil, fmt.Errorf("error while adding sshd.host_key: %s", err)
|
||||
}
|
||||
|
||||
// Clear existing trusted CAs and authorized keys
|
||||
ssh.ClearTrustedCAs()
|
||||
ssh.ClearAuthorizedKeys()
|
||||
|
||||
rawCAs := c.GetStringSlice("sshd.trusted_cas", []string{})
|
||||
for _, caAuthorizedKey := range rawCAs {
|
||||
err := ssh.AddTrustedCA(caAuthorizedKey)
|
||||
if err != nil {
|
||||
l.WithError(err).WithField("sshCA", caAuthorizedKey).Warn("SSH CA had an error, ignoring")
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
rawKeys := c.Get("sshd.authorized_users")
|
||||
keys, ok := rawKeys.([]interface{})
|
||||
if ok {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue