Documentation ¶
Index ¶
- func AddHostToHostList(hostList []string, hostname string) []string
- func CheckAndSplitValidityKey(input string, caName string) ([]string, error)
- func FormatHostCAPublicKeysForRegistry(hostCAPublicKeys map[string][]string, hostname string) map[string][]HostCAPublicKeyForRegistry
- func FormatLocalCommandString(tshPath string, cluster string) (string, error)
- func NaivelyValidateHostname(hostname string) bool
- func ProcessHostCAPublicKeys(tc *client.TeleportClient, cfContext context.Context, clusterName string) (map[string][]string, error)
- type HostCAPublicKeyForRegistry
- type PuttyProxyTelnetCommandArgs
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddHostToHostList ¶
AddHostToHostList adds a new hostname to PuTTY's list of trusted hostnames for a given host CA.
Background:
- For every host CA that it is configured to trust, PuTTY maintains a list of hostnames (hostList) which it should consider to be valid for that host CA. This is the same as the @cert-authority lines in an `~/.ssh/known_hosts` file.
- Trusted hostnames can be individual entries (host1, host2) or wildcards like "*.example.com".
- PuTTY keeps this list of hostnames stored against each host CA in the Windows registry. It exposes a GUI (under Connection -> SSH -> Host Keys -> Configure Host CAs at the time of writing) which expects any new host CAs and trusted hostnames for each to be added manually by end users as part of session configuration.
- This process is mandatory for validation of host CAs in PuTTY to work, but is a cumbersome manual process with many clicks required in a nested interface. Instead, this function is called as part of `tsh puttyconfig` to examine the existing list of trusted hostnames and automate the process of adding a new valid hostname to a given host CA.
Connection flow:
- When connecting to a host which presents a host CA, PuTTY searches its list of CAs to find any which are considered valid for that hostname, then checks whether the host's presented CA matches any of them. If there is a CA -> hostname match, the connection will continue successfully. If not, an error will be shown.
Intended operation of this function:
- This function is passed the current list of trusted hostnames for a given host CA (retrieved from the registry), along with a new hostname entry (from tsh puttyconfig <hostname>) which should be added to the list.
- It appends the new hostname to the end of the hostList
- All hostnames in the hostList are converted to their wildcard form if they contain a dot (test.example.com -> *.example.com) and are grouped together.
- If a wildcard group only contains a single hostname which would be matched by its wildcard equivalent, that hostname is added to the hostList verbatim to prevent inadvertently matching against too many hosts with the same wildcard.
- If a wildcard matches more than one hostname, the wildcard will be added to the hostList instead and the single hostnames discarded.
- The hostList is then sorted alphabetically and returned.
This is an effort to keep the length of hostList as short as possible for efficiency and tidiness, while not using any more wildcards than necessary and preventing the need for end users to manually configure their trusted host CAs.
func CheckAndSplitValidityKey ¶
CheckAndSplitValidityKey processes PuTTY's "Validity" string key into individual list elements and checks that its formatting follows the simple pattern "<hostname> || <hostname> || ..." PuTTY uses a custom string format to represent what hostnames a given key should be trusted for. See https://the.earth.li/~sgtatham/putty/0.79/htmldoc/Chapter4.html#config-ssh-cert-valid-expr for details.
func FormatHostCAPublicKeysForRegistry ¶
func FormatHostCAPublicKeysForRegistry(hostCAPublicKeys map[string][]string, hostname string) map[string][]HostCAPublicKeyForRegistry
FormatHostCAPublicKeysFoRegistry formats a map of clusterNames -> []CAs into a platform-agnostic intermediate struct format. This format is passed into functions which write to the Windows registry.
func FormatLocalCommandString ¶
FormatLocalCommandString replaces placeholders in a constant with actual values
func NaivelyValidateHostname ¶
NaivelyValidateHostname checks the provided hostname against a naive regex to ensure it doesn't contain obviously illegal characters. It's not guaranteed to be perfect, just a simple sanity check. It returns true when the hostname validates.
func ProcessHostCAPublicKeys ¶
func ProcessHostCAPublicKeys(tc *client.TeleportClient, cfContext context.Context, clusterName string) (map[string][]string, error)
ProcessHostCAPublicKeys gets all the host CAs that the passed client can load (which will be a root cluster and any connected leaf clusters), iterates over them to find any host CAs which map to the requested root or leaf cluster and builds a map containing [targetClusterName]->[]CAs. These host CA public keys are then ultimately written to the registry so that PuTTY can validate host keys against them when connecting.