mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-14 02:27:02 +02:00
Code Issues Projects Releases Wiki Activity
5,867 Commits 2,843 Branches 445 Tags 447 MiB
eb0e7cd0d2
Commit Graph

142 Commits

Author SHA1 Message Date
Jeff Mitchell
eb0e7cd0d2 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell
2fbd973001 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Jeff Mitchell
866b384494 Parse and dedup but do not lowercase principals in SSH certs. (#2591) 2017-04-18 12:21:02 -04:00
Jeff Mitchell
14c0000169 Update SSH CA documentation 
Fixes #2551
Fixes #2569
 2017-04-07 11:59:25 -04:00
Vishal Nayak
16d41a8b28 sshca: ensure atleast cert type is allowed (#2508) 2017-03-19 18:58:48 -04:00
Jeff Mitchell
a5d1808efe Always include a hash of the public key and "vault" (to know where it (#2498) 
came from) when generating a cert for SSH.

Follow on from #2494
 2017-03-16 11:14:17 -04:00
Mike Okner
6f84f7ffd0 Adding allow_user_key_ids field to SSH role config (#2494) 
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name.  Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
 2017-03-16 08:45:11 -04:00
Stanislav Grozev
70b30b40d4 Reads on unconfigured SSH CA public key return 400 2017-03-14 10:21:48 -04:00
Stanislav Grozev
5f3397bff5 Reads on ssh/config/ca return the public keys 
If configured/generated.
 2017-03-14 10:21:48 -04:00
Stanislav Grozev
d22796c644 If generating an SSH CA signing key - return the public part 
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
 2017-03-14 10:21:48 -04:00
Vishal Nayak
9af1ca3d2c doc: ssh allowed_users update (#2462) 
* doc: ssh allowed_users update

* added some more context in default_user field
 2017-03-09 10:34:55 -05:00
vishalnayak
3bd667a931 Fix typo 2017-03-08 17:49:39 -05:00
Vishal Nayak
a4e41f6568 SSH CA enhancements (#2442) 
* Use constants for storage paths

* Upgrade path for public key storage

* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes

* Remove a print statement

* Added tests for upgrade case

* Make exporting consistent in creation bundle

* unexporting and constants

* Move keys into a struct instead of plain string

* minor changes
 2017-03-08 17:36:21 -05:00
Jeff Mitchell
df575f0b3a Rename helper 'duration' to 'parseutil'. (#2449) 
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
 2017-03-07 11:21:22 -05:00
Vishal Nayak
8491db3ce6 ssh: Added DeleteOperation to config/ca (#2434) 
* ssh: Added DeleteOperation to config/ca

* Address review feedback
 2017-03-03 10:19:45 -05:00
Jeff Mitchell
5fe459f91a Update SSH CA logic/tests 2017-03-02 16:39:22 -05:00
Vishal Nayak
93b74ebe71 Refactor the generate_signing_key processing (#2430) 2017-03-02 16:22:06 -05:00
Jeff Mitchell
1c821e448d Update error text to make it more obvious what the issue is when valid principals aren't found 2017-03-02 15:56:08 -05:00
Jeff Mitchell
db29bde264 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
Will May
ffb5ee7fda Changes from code review 2017-03-02 14:36:13 -05:00
Will May
f9d853f7f0 Allow internal generation of the signing SSH key pair 2017-03-02 14:36:13 -05:00
Vishal Nayak
d30a833db7 Rework ssh ca (#2419) 
* docs: input format for default_critical_options and default_extensions

* s/sshca/ssh

* Added default_critical_options and default_extensions to the read endpoint of role

* Change default time return value to 0
 2017-03-01 15:50:23 -05:00
Will May
7d9cb5bffe Changes from code review 
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
 2017-03-01 15:19:18 -05:00
Will May
59397250da Changes from code review 
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
 2017-03-01 15:19:18 -05:00
Will May
1d59b965cb Add ability to create SSH certificates 2017-03-01 15:19:18 -05:00
Jeff Mitchell
8acbdefdf2 More porting from rep (#2388) 
* More porting from rep

* Address review feedback
 2017-02-16 16:29:30 -05:00
vascop
59c55e0aa6 Fix typo and remove trailing whitespace. (#2074) 2016-11-08 09:32:23 -05:00
vishalnayak
b408c95e0d ssh: Use temporary file to store the identity file 2016-10-18 12:50:12 -04:00
vishalnayak
fb2f7f27ba Fix ssh tests 2016-09-22 11:37:55 -04:00
vishalnayak
c93bded97b Added cidrutil helper 2016-09-21 13:58:32 -04:00
Jeff Mitchell
c2f3c465d3 Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 15:04:04 -04:00
Jeff Mitchell
68345eb770 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell
357ecb4dfe gofmt 2016-08-19 16:48:32 -04:00
vishalnayak
b632ef58e4 Add allowed_roles to ssh-helper-config and return role name from verify call 2016-07-05 11:14:29 -04:00
Jeff Mitchell
551f4a8606 Change AWS/SSH to reuse backend creation code for test functions 2016-06-01 12:17:47 -04:00
Jeff Mitchell
74a1e3bd61 Remove most Root paths 2016-05-31 23:42:54 +00:00
vishalnayak
8ae663f498 Allow * to be set for allowed_users 2016-05-30 03:12:43 -04:00
vishalnayak
c945b8b3f2 Do not allow any username to login if allowed_users is not set 2016-05-30 03:01:47 -04:00
Sean Chittenden
339c0a4127
Speling police 2016-05-15 09:58:36 -07:00
Jeff Mitchell
77a2afa922 Merge pull request #1291 from mmickan/ssh-keyinstall-perms 
Ensure authorized_keys file is readable when uninstalling an ssh key
 2016-04-25 14:00:37 -04:00
vishalnayak
ac5ceae0bd Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Mark Mickan
8deed677d2 Ensure authorized_keys file is readable when uninstalling an ssh key 
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.

Fixes GH #1285
 2016-04-05 17:26:21 +09:30
vishalnayak
9280dda5f4 rename verify_cert as disable_binding and invert the logic 2016-02-24 21:01:21 -05:00
vishalnayak
f5f9a9a056 ssh: Fix response code for ssh/verify 2016-02-16 19:46:29 -05:00
vishalnayak
6b5b96d795 Fix SSH test cases. 2016-02-02 12:32:50 -05:00
Jeff Mitchell
2eb08d3bde Make backends much more consistent: 
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
 2016-01-29 20:03:37 -05:00
Jeff Mitchell
886f641e5d Add listing of roles to ssh backend 2016-01-28 12:48:00 -05:00
Chi Vinh Le
555834f83d Cleanly close SSH connections 2016-01-19 07:59:08 +01:00
Jeff Mitchell
21f91f73bb Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell
45e32756ea WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00