keyid

Documentation

Overview

Package keyid contains an extensive keyID struct for ssh certificates.

Index

• Constants
• type KeyID
  • func Clone(k *KeyID) *KeyID
  • func New() *KeyID
  • func Unmarshal(kidStr string) (*KeyID, error)
  • func (kid *KeyID) GetProperty(name string) string
  • func (kid *KeyID) Marshal() (string, error)
  • func (kid *KeyID) SetHumanUser()
• type TouchPolicy
  • func (policy TouchPolicy) String() string
• type Usage

Constants

const (
	// DefaultVersion is the default version of keyID.
	// Currently, only version 1 is supported.
	DefaultVersion = 1

	// MsgUnsupportedVersion should be used as the error message when the version of KeyID is not supported.
	MsgUnsupportedVersion = "unsupported Key ID version: %d"
)

Types

type KeyID

type KeyID struct {
	Principals []string `json:"prins"`
	TransID    string   `json:"transID"`
	ReqUser    string   `json:"reqUser"`
	ReqIP      string   `json:"reqIP"`
	ReqHost    string   `json:"reqHost"`
	// IsFirefighter indicates whether the certificate is for emergency situation.
	IsFirefighter bool `json:"isFirefighter"`
	// IsHWKey indicates whether the certificate has the key backed in the hardware (yubikey).
	IsHWKey bool `json:"isHWKey"`
	// IsHeadless indicates whether the certificate is provisioned for CI/CD pipelines.
	IsHeadless bool `json:"isHeadless"`
	// IsNonce indicates whether the certificate is regarded as a one-time certificate-based token.
	IsNonce     bool `json:"isNonce"`
	Usage       `json:"usage"`
	TouchPolicy `json:"touchPolicy"`
	Version     uint16 `json:"ver"`
}

KeyID contains all the fields in key ID.

func Clone

func Clone(k *KeyID) *KeyID

Clone returns a clone of the specified keyID.

func New

func New() *KeyID

New creates a default KeyID.

func Unmarshal

func Unmarshal(kidStr string) (*KeyID, error)

Unmarshal decodes the input string to a KeyID struct.

func (*KeyID) GetProperty

func (kid *KeyID) GetProperty(name string) string

GetProperty returns the string value of a property looked up by the given name. Package pam-ysshca relies on the fields in KeyID. We don't want to update the pam-ysshca and modify the config file on destination hosts everytime when there are any changes to the key id format (e.g. json tags). Hence, we extract the value of the property by switch cases here.

func (*KeyID) Marshal

func (kid *KeyID) Marshal() (string, error)

Marshal encodes keyID to a string.

func (*KeyID) SetHumanUser

func (kid *KeyID) SetHumanUser()

SetHumanUser updates the KeyID to be a human user KeyID.

type TouchPolicy

type TouchPolicy int

TouchPolicy is an integer that indicates the touch policy of a certificate. For the touch operation, currently it is only available in YubiKey 4 or later.

Reference: https://developers.yubico.com/PIV/Introduction/Yubico_extensions.html

const (
	// DefaultTouch indicates that the default touch behaviour for a key slot is used.
	DefaultTouch TouchPolicy = iota
	// NeverTouch indicates that the touch is never required for operations.
	NeverTouch
	// AlwaysTouch indicates that the touch is always required for operations.
	AlwaysTouch
	// CachedTouch indicates that the touch is cached for 15s after use (valid from YubiKey 4.3).
	CachedTouch
)

func (TouchPolicy) String

func (policy TouchPolicy) String() string

String() returns the name of the given policy.

type Usage

type Usage int

Usage is an integer that indicates the limitation of the cert usage. It is used to restrict the sudo permission on some headless style certificates.

const (
	// AllUsage is the default value of usage for now, and it indicates the certificate provides both SSH and Sudo permissions.
	AllUsage Usage = iota
	// SSHOnlyUsage indicates the certificate provides SSH permission only.
	SSHOnlyUsage
)