diff --git a/api/ssh.go b/api/ssh.go index ee6c460732..b33346acac 100644 --- a/api/ssh.go +++ b/api/ssh.go @@ -10,11 +10,12 @@ type SSH struct { MountPoint string } -// SSH is used to return the client for logical-backend API calls. +// Returns the client for logical-backend API calls. func (c *Client) SSH() *SSH { return c.SSHWithMountPoint(SSHDefaultMountPoint) } +// Returns the client with specific SSH mount point. func (c *Client) SSHWithMountPoint(mountPoint string) *SSH { return &SSH{ c: c, @@ -22,7 +23,7 @@ func (c *Client) SSHWithMountPoint(mountPoint string) *SSH { } } -// Invokes the SSH backend API to create a dynamic key or an OTP +// Invokes the SSH backend API to create a credential to establish an SSH session. func (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error) { r := c.c.NewRequest("PUT", fmt.Sprintf("/v1/%s/creds/%s", c.MountPoint, role)) if err := r.SetJSONBody(data); err != nil { diff --git a/api/ssh_agent.go b/api/ssh_agent.go index 8cba6e7db9..bfcc2653f6 100644 --- a/api/ssh_agent.go +++ b/api/ssh_agent.go @@ -75,10 +75,10 @@ func (c *SSHAgentConfig) TLSClient(certPool *x509.CertPool) *http.Client { return &client } -// Returns a new client for the given configuration. This client will be used -// SSH agent to communicate with Vault server to verify the OTP entered by user. +// Returns a new client for the configuration. This client will be used by the +// SSH agent to communicate with Vault server and verify the OTP entered by user. // If the configuration supplies Vault SSL certificates, then the client will -// have tls configured in its transport. +// have TLS configured in its transport. func (c *SSHAgentConfig) NewClient() (*Client, error) { // Creating a default client configuration for communicating with vault server. clientConfig := DefaultConfig() @@ -86,6 +86,7 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) { // Pointing the client to the actual address of vault server. clientConfig.Address = c.VaultAddr + // Check if certificates are provided via config file. if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify { var certPool *x509.CertPool var err error @@ -97,6 +98,8 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) { if err != nil { return nil, err } + + // Change the configuration to have an HTTP client with TLS enabled. clientConfig.HttpClient = c.TLSClient(certPool) } @@ -105,11 +108,12 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) { if err != nil { return nil, err } + return client, nil } -// Loads agent's configuration from the file and populates the corresponding -// in memory structure. +// Load agent's configuration from the file and populate the corresponding +// in-memory structure. Vault address and SSH mount points required parameters. func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) { var config SSHAgentConfig contents, err := ioutil.ReadFile(path) @@ -125,6 +129,14 @@ func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) { } else { return nil, err } + + if config.VaultAddr == "" { + return nil, fmt.Errorf("config missing vault_addr") + } + if config.SSHMountPoint == "" { + return nil, fmt.Errorf("config missing ssh_mount_point") + } + return &config, nil } diff --git a/builtin/logical/ssh/path_creds_create.go b/builtin/logical/ssh/path_creds_create.go index 04a00538ac..603a7e5826 100644 --- a/builtin/logical/ssh/path_creds_create.go +++ b/builtin/logical/ssh/path_creds_create.go @@ -4,12 +4,15 @@ import ( "fmt" "net" "strconv" + "time" "github.com/hashicorp/vault/helper/uuid" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" ) +const defaultSSHLeaseDuration = 5 * time.Minute + type sshOTP struct { Username string `json:"username"` IP string `json:"ip"` @@ -133,6 +136,11 @@ func (b *backend) pathCredsCreateWrite( result.Secret.LeaseGracePeriod = lease.LeaseMax } + if lease == nil { + result.Secret.Lease = defaultSSHLeaseDuration + result.Secret.LeaseGracePeriod = 0 + } + return result, nil }