kcerts

package
v0.0.0-...-895b022 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2024 License: BSD-3-Clause, BSD-3-Clause Imports: 33 Imported by: 0

Documentation

Overview

+build linux

Index

Constants

View Source 
const (
	SSHCacheKey  = "enkitssh"
	SSHCacheFile = "ssh.json"
)
View Source 
const (
	MaxCertTimeDuration     = time.Duration(1<<63 - 1)
	InValidCertTimeDuration = time.Duration(0)
)
View Source 
const (
	CAPrefix   = "@cert-authority"
	SSHDir     = ".ssh"
	KnownHosts = "known_hosts"
)

Variables

View Source 
var (
	GetConfigDir = directory.GetConfigDir // to enable mocking
)
View Source 
var (
	SSHAgentNoCache = errors.New("ssh agent cached entry does not exist")
)

Functions

func AddKey 

func AddKey(conn net.Conn, a SSHAgent, privateKey PrivateKey, publicKey ssh.PublicKey) error

func AddSSHCAToClient 

func AddSSHCAToClient(publicKey ssh.PublicKey, hosts []string, sshDir string) error

AddSSHCAToClient adds a public key to the $HOME/.ssh/known_hosts in the ssh-cert x509.1 format. For each entry, it adds an additional line and does not concatenate.

func DeleteSSHCache 

func DeleteSSHCache(store cache.Store) error

DeleteSSHCache deletes the SSH cache

func DialTimeout 

func DialTimeout(a SSHAgent) (net.Conn, error)

func FindSSHDir 

func FindSSHDir() (string, error)

FindSSHDir will find the users ssh directory based on $HOME. If $HOME/.ssh does not exist it will attempt to create it.

func GenerateIntermediateCertificate 

func GenerateIntermediateCertificate(opts *certOptions, RootCa *x509.Certificate, RootCaPrivateKey *rsa.PrivateKey) (*x509.Certificate, []byte, *rsa.PrivateKey, error)

GenerateIntermediateCertificate will generate the DCA and intermediate chain. It is acceptable to publicly share this chain. requires to call GenerateNewCARoot beforehand. Reusing Opts is recommended.

func GenerateNewCARoot 

func GenerateNewCARoot(opts *certOptions) (*x509.Certificate, []byte, *rsa.PrivateKey, error)

GenerateNewCARoot returns the new certificate anchor for a chain. This should ideally only be called once as rotating this will invalidate all existing private certs. Unless, you add it and reload and x509.CertPool in a server.

func GenerateSSHKeyPair 

func GenerateSSHKeyPair(privateKey *rsa.PrivateKey) ([]byte, []byte)

GenerateSSHKeyPair will generate a re-encoded private rsa key and public key from an existing *rsa.PrivateKey.

func GenerateServerKey 

func GenerateServerKey(opts *certOptions, intermediateCert *x509.Certificate, intermediatePrivateKey *rsa.PrivateKey) (*x509.Certificate, []byte, *rsa.PrivateKey, error)

GenerateServerKey will generate the final tls cert, generally requires GenerateIntermediateCertificate and GenerateNewCARoot to be called beforehand. Reusing Opts is recommended.

func NewOptions 

func NewOptions(mods ...Modifier) (*certOptions, error)

func NewSSHSigner 

func NewSSHSigner(signer crypto.Signer, algo string) (ssh.Signer, error)

func NewSigner 

func NewSigner(key PrivateKey) (ssh.Signer, error)

func SSHCertRemainingTTL 

func SSHCertRemainingTTL(cert *ssh.Certificate) time.Duration

SSHCertRemainingTTL returns the remaining ttl of a cert when compared to current time.

If the cert is invalid it will return a ttl of 0. If it is infinite it will return max time.Duration, MaxCertTimeDuration.

func SSHCertTotalTTL 

func SSHCertTotalTTL(cert *ssh.Certificate) time.Duration

SSHCertTotalTTL returns the total ttl of a cert. If the ttl is invalid, it will return a duration of 0. If the cert is infinite, it will return the max time.Duration.

func SignPublicKey 

func SignPublicKey(p PrivateKey, certType uint32, principals []string, ttl time.Duration, pub ssh.PublicKey, mods ...CertMod) (*ssh.Certificate, error)

SignPublicKey will sign and return credentials based on the CA signer and given parameters to generate a user cert, certType must be 1, and host certs ust have certType 2

func WriteAgentToCache 

func WriteAgentToCache(store cache.Store, agent *SSHAgent) error

Types

type AgentCert 

type AgentCert struct {
	MD5        string
	Principals []string
	Ext        map[string]string
	ValidFor   time.Duration
}

type CertMod 

type CertMod func(certificate *ssh.Certificate) *ssh.Certificate
var NoOp CertMod = func(certificate *ssh.Certificate) *ssh.Certificate {
	return certificate
}

type Modifier 

type Modifier func(o *certOptions) error

func WithCountries 

func WithCountries(countries []string) Modifier

func WithIpAddresses 

func WithIpAddresses(ips []net.IP) Modifier

func WithNotValidBefore 

func WithNotValidBefore(startTime time.Time) Modifier

func WithOrganizations 

func WithOrganizations(orgs []string) Modifier

func WithValidUntil 

func WithValidUntil(validUntil time.Time) Modifier

type PrivateKey 

type PrivateKey interface {
	Signer() crypto.Signer
	SigningAlgo() string
	Raw() interface{}
	SSHPemEncode() ([]byte, error)
}

func FromEC25519 

func FromEC25519(key ed25519.PrivateKey) PrivateKey

func FromRSA 

func FromRSA(key *rsa.PrivateKey) PrivateKey

func GenerateED25519 

func GenerateED25519() (ssh.PublicKey, PrivateKey, error)

func GenerateRSA 

func GenerateRSA() (ssh.PublicKey, PrivateKey, error)

type SSHAgent 

type SSHAgent struct {
	State SSHAgentState

	// Close will free the resources allocated by this SSHAgent object.
	//
	// If an ssh-agent was started, the Close() call will kill it.
	// If an ssh-agent was found in the environment, it will leave it running.
	Close func()
	// contains filtered or unexported fields
}

SSHAgent is a wrapper around golang.org/x/crypto/ssh/agent to ease the creation and management of ssh-agents.

func FindOrCreateSSHAgent 

func FindOrCreateSSHAgent(store cache.Store, mods ...SSHAgentModifier) (*SSHAgent, error)

FindOrCreateSSHAgent Will start the ssh agent in the interactive terminal if it isn't present already as an environment variable It will pull, in order: from the env, from the cache, create new.

func NewSSHAgent 

func NewSSHAgent(mods ...SSHAgentModifier) (*SSHAgent, error)

func PrepareSSHAgent 

func PrepareSSHAgent(store cache.Store, mods ...SSHAgentModifier) (*SSHAgent, error)

PrepareSSHAgent ensures that we end up with a working ssh-agent, either by discovering an existing ssh-agent or creating a new one. It also ensures that we have an up-to-date symlink to that agent's socket in the standard location.

The final ssh-agent socket returned by PrepareSSHAgent is always ~/.config/enkit/agent.

func (SSHAgent) AddCertificates 

func (a SSHAgent) AddCertificates(privateKey PrivateKey, publicKey ssh.PublicKey) error

AddCertificates loads an ssh certificate into the agent. privateKey must be a key type accepted by the golang.org/x/ssh/agent AddedKey struct. At time of writing, this can be: *rsa.PrivateKey, *dsa.PrivateKey, ed25519.PrivateKey or *ecdsa.PrivateKey. Note that ed25519.PrivateKey should be passed by value.

func (*SSHAgent) CreateNew 

func (agent *SSHAgent) CreateNew() error

CreateNewSSHAgent creates a new ssh agent.

Its env variables have not been added to the shell. It does not maintain its own connection.

func (SSHAgent) GetEnv 

func (a SSHAgent) GetEnv() []string

func (*SSHAgent) GetStandardSocketPath 

func (a *SSHAgent) GetStandardSocketPath() (string, error)

func (SSHAgent) Kill 

func (a SSHAgent) Kill() error

func (*SSHAgent) LoadFromCache 

func (agent *SSHAgent) LoadFromCache(store cache.Store) error

func (*SSHAgent) LoadFromEnvironment 

func (agent *SSHAgent) LoadFromEnvironment() error

LoadFromEnvironment prepares an SSHAgent from environment variables.

This is useful to configure an already running ssh-agent, post `eval ssh-agent`.

func (SSHAgent) Principals 

func (a SSHAgent) Principals() ([]AgentCert, error)

Principals returns a map where the keys are the CA's PKS and the certs identities are the values

func (*SSHAgent) UseStandardPaths 

func (a *SSHAgent) UseStandardPaths() error

func (SSHAgent) Valid 

func (a SSHAgent) Valid() error

type SSHAgentFlags 

type SSHAgentFlags struct {
	Timeout   time.Duration
	AgentPath string
	AgentArgs []string
}

func SSHAgentDefaultFlags 

func SSHAgentDefaultFlags() *SSHAgentFlags

func (*SSHAgentFlags) Register 

func (f *SSHAgentFlags) Register(set kflags.FlagSet, prefix string) *SSHAgentFlags

type SSHAgentModifier 

type SSHAgentModifier func(s *SSHAgent) error

func WithAgentPath 

func WithAgentPath(path string, args []string) SSHAgentModifier

func WithConfigDir 

func WithConfigDir(dir string) SSHAgentModifier

func WithFlags 

func WithFlags(f *SSHAgentFlags) SSHAgentModifier

func WithLogging 

func WithLogging(log logger.Logger) SSHAgentModifier

func WithTimeout 

func WithTimeout(timeout time.Duration) SSHAgentModifier

type SSHAgentModifiers 

type SSHAgentModifiers []SSHAgentModifier

func (SSHAgentModifiers) Apply 

func (m SSHAgentModifiers) Apply(a *SSHAgent) error

type SSHAgentState 

type SSHAgentState struct {
	PID    int    `json:"pid"`
	Socket string `json:"sock"`
}

SSHAgentState is the struct marsheld/unmarshaled to/from disk to maintain state about an existing ssh-agent.

type SSHKeyGenerator 

type SSHKeyGenerator func() (ssh.PublicKey, PrivateKey, error)

KeyGenerator is A function capable of generating a key pair.

The function is expected to return a Public Key, a Private Key, and an error.

Only keys supported by x/crypto/ssh.NewPublicKey are supported. 

var (
	GenerateDefault SSHKeyGenerator = GenerateED25519
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.