kcerts

package
v0.0.0-...-bee7c02 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 11, 2025 License: BSD-3-Clause, BSD-3-Clause Imports: 33 Imported by: 0

Documentation

Overview

+build linux

Index

Constants

View Source
const (
	SSHCacheKey  = "enkitssh"
	SSHCacheFile = "ssh.json"
)
View Source
const (
	MaxCertTimeDuration     = time.Duration(1<<63 - 1)
	InValidCertTimeDuration = time.Duration(0)
)
View Source
const (
	CAPrefix   = "@cert-authority"
	SSHDir     = ".ssh"
	KnownHosts = "known_hosts"
)

Variables

View Source
var (
	GetConfigDir = directory.GetConfigDir // to enable mocking
)
View Source
var (
	SSHAgentNoCache = errors.New("ssh agent cached entry does not exist")
)

Functions

func AddKey

func AddKey(conn net.Conn, a SSHAgent, privateKey PrivateKey, publicKey ssh.PublicKey) error

func AddSSHCAToClient

func AddSSHCAToClient(publicKey ssh.PublicKey, hosts []string, sshDir string) error

AddSSHCAToClient adds a public key to the $HOME/.ssh/known_hosts in the ssh-cert x509.1 format. For each entry, it adds an additional line and does not concatenate.

func DeleteSSHCache

func DeleteSSHCache(store cache.Store) error

DeleteSSHCache deletes the SSH cache

func DialTimeout

func DialTimeout(a SSHAgent) (net.Conn, error)

func FindSSHDir

func FindSSHDir() (string, error)

FindSSHDir will find the users ssh directory based on $HOME. If $HOME/.ssh does not exist it will attempt to create it.

func GenerateIntermediateCertificate

func GenerateIntermediateCertificate(opts *certOptions, RootCa *x509.Certificate, RootCaPrivateKey *rsa.PrivateKey) (*x509.Certificate, []byte, *rsa.PrivateKey, error)

GenerateIntermediateCertificate will generate the DCA and intermediate chain. It is acceptable to publicly share this chain. requires to call GenerateNewCARoot beforehand. Reusing Opts is recommended.

func GenerateNewCARoot

func GenerateNewCARoot(opts *certOptions) (*x509.Certificate, []byte, *rsa.PrivateKey, error)

GenerateNewCARoot returns the new certificate anchor for a chain. This should ideally only be called once as rotating this will invalidate all existing private certs. Unless, you add it and reload and x509.CertPool in a server.

func GenerateSSHKeyPair

func GenerateSSHKeyPair(privateKey *rsa.PrivateKey) ([]byte, []byte)

GenerateSSHKeyPair will generate a re-encoded private rsa key and public key from an existing *rsa.PrivateKey.

func GenerateServerKey

func GenerateServerKey(opts *certOptions, intermediateCert *x509.Certificate, intermediatePrivateKey *rsa.PrivateKey) (*x509.Certificate, []byte, *rsa.PrivateKey, error)

GenerateServerKey will generate the final tls cert, generally requires GenerateIntermediateCertificate and GenerateNewCARoot to be called beforehand. Reusing Opts is recommended.

func NewOptions

func NewOptions(mods ...Modifier) (*certOptions, error)

func NewSSHSigner

func NewSSHSigner(signer crypto.Signer, algo string) (ssh.Signer, error)

func NewSigner

func NewSigner(key PrivateKey) (ssh.Signer, error)

func SSHCertRemainingTTL

func SSHCertRemainingTTL(cert *ssh.Certificate) time.Duration

SSHCertRemainingTTL returns the remaining ttl of a cert when compared to current time.

If the cert is invalid it will return a ttl of 0. If it is infinite it will return max time.Duration, MaxCertTimeDuration.

func SSHCertTotalTTL

func SSHCertTotalTTL(cert *ssh.Certificate) time.Duration

SSHCertTotalTTL returns the total ttl of a cert. If the ttl is invalid, it will return a duration of 0. If the cert is infinite, it will return the max time.Duration.

func SignPublicKey

func SignPublicKey(p PrivateKey, certType uint32, principals []string, ttl time.Duration, pub ssh.PublicKey, mods ...CertMod) (*ssh.Certificate, error)

SignPublicKey will sign and return credentials based on the CA signer and given parameters to generate a user cert, certType must be 1, and host certs ust have certType 2

func WriteAgentToCache

func WriteAgentToCache(store cache.Store, agent *SSHAgent) error

Types

type AgentCert

type AgentCert struct {
	MD5        string
	Principals []string
	Ext        map[string]string
	ValidFor   time.Duration
}

type CertMod

type CertMod func(certificate *ssh.Certificate) *ssh.Certificate
var NoOp CertMod = func(certificate *ssh.Certificate) *ssh.Certificate {
	return certificate
}

type Modifier

type Modifier func(o *certOptions) error

func WithCountries

func WithCountries(countries []string) Modifier

func WithIpAddresses

func WithIpAddresses(ips []net.IP) Modifier

func WithNotValidBefore

func WithNotValidBefore(startTime time.Time) Modifier

func WithOrganizations

func WithOrganizations(orgs []string) Modifier

func WithValidUntil

func WithValidUntil(validUntil time.Time) Modifier

type PrivateKey

type PrivateKey interface {
	Signer() crypto.Signer
	SigningAlgo() string
	Raw() interface{}
	SSHPemEncode() ([]byte, error)
}

func FromEC25519

func FromEC25519(key ed25519.PrivateKey) PrivateKey

func FromRSA

func FromRSA(key *rsa.PrivateKey) PrivateKey

func GenerateED25519

func GenerateED25519() (ssh.PublicKey, PrivateKey, error)

func GenerateRSA

func GenerateRSA() (ssh.PublicKey, PrivateKey, error)

type SSHAgent

type SSHAgent struct {
	State SSHAgentState

	// Close will free the resources allocated by this SSHAgent object.
	//
	// If an ssh-agent was started, the Close() call will kill it.
	// If an ssh-agent was found in the environment, it will leave it running.
	Close func()
	// contains filtered or unexported fields
}

SSHAgent is a wrapper around golang.org/x/crypto/ssh/agent to ease the creation and management of ssh-agents.

func FindOrCreateSSHAgent

func FindOrCreateSSHAgent(store cache.Store, mods ...SSHAgentModifier) (*SSHAgent, error)

FindOrCreateSSHAgent Will start the ssh agent in the interactive terminal if it isn't present already as an environment variable It will pull, in order: from the env, from the cache, create new.

func NewSSHAgent

func NewSSHAgent(mods ...SSHAgentModifier) (*SSHAgent, error)

func PrepareSSHAgent

func PrepareSSHAgent(store cache.Store, mods ...SSHAgentModifier) (*SSHAgent, error)

PrepareSSHAgent ensures that we end up with a working ssh-agent, either by discovering an existing ssh-agent or creating a new one. It also ensures that we have an up-to-date symlink to that agent's socket in the standard location.

The final ssh-agent socket returned by PrepareSSHAgent is always ~/.config/enkit/agent.

func (SSHAgent) AddCertificates

func (a SSHAgent) AddCertificates(privateKey PrivateKey, publicKey ssh.PublicKey) error

AddCertificates loads an ssh certificate into the agent. privateKey must be a key type accepted by the golang.org/x/ssh/agent AddedKey struct. At time of writing, this can be: *rsa.PrivateKey, *dsa.PrivateKey, ed25519.PrivateKey or *ecdsa.PrivateKey. Note that ed25519.PrivateKey should be passed by value.

func (*SSHAgent) CreateNew

func (agent *SSHAgent) CreateNew() error

CreateNewSSHAgent creates a new ssh agent.

Its env variables have not been added to the shell. It does not maintain its own connection.

func (SSHAgent) GetEnv

func (a SSHAgent) GetEnv() []string

func (*SSHAgent) GetStandardSocketPath

func (a *SSHAgent) GetStandardSocketPath() (string, error)

func (SSHAgent) Kill

func (a SSHAgent) Kill() error

func (*SSHAgent) LoadFromCache

func (agent *SSHAgent) LoadFromCache(store cache.Store) error

func (*SSHAgent) LoadFromEnvironment

func (agent *SSHAgent) LoadFromEnvironment() error

LoadFromEnvironment prepares an SSHAgent from environment variables.

This is useful to configure an already running ssh-agent, post `eval ssh-agent`.

func (SSHAgent) Principals

func (a SSHAgent) Principals() ([]AgentCert, error)

Principals returns a map where the keys are the CA's PKS and the certs identities are the values

func (*SSHAgent) UseStandardPaths

func (a *SSHAgent) UseStandardPaths() error

func (SSHAgent) Valid

func (a SSHAgent) Valid() error

type SSHAgentFlags

type SSHAgentFlags struct {
	Timeout   time.Duration
	AgentPath string
	AgentArgs []string
}

func SSHAgentDefaultFlags

func SSHAgentDefaultFlags() *SSHAgentFlags

func (*SSHAgentFlags) Register

func (f *SSHAgentFlags) Register(set kflags.FlagSet, prefix string) *SSHAgentFlags

type SSHAgentModifier

type SSHAgentModifier func(s *SSHAgent) error

func WithAgentPath

func WithAgentPath(path string, args []string) SSHAgentModifier

func WithConfigDir

func WithConfigDir(dir string) SSHAgentModifier

func WithFlags

func WithFlags(f *SSHAgentFlags) SSHAgentModifier

func WithLogging

func WithLogging(log logger.Logger) SSHAgentModifier

func WithTimeout

func WithTimeout(timeout time.Duration) SSHAgentModifier

type SSHAgentModifiers

type SSHAgentModifiers []SSHAgentModifier

func (SSHAgentModifiers) Apply

func (m SSHAgentModifiers) Apply(a *SSHAgent) error

type SSHAgentState

type SSHAgentState struct {
	PID    int    `json:"pid"`
	Socket string `json:"sock"`
}

SSHAgentState is the struct marsheld/unmarshaled to/from disk to maintain state about an existing ssh-agent.

type SSHKeyGenerator

type SSHKeyGenerator func() (ssh.PublicKey, PrivateKey, error)

KeyGenerator is A function capable of generating a key pair.

The function is expected to return a Public Key, a Private Key, and an error.

Only keys supported by x/crypto/ssh.NewPublicKey are supported.

var (
	GenerateDefault SSHKeyGenerator = GenerateED25519
)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL