commands

package
v0.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2025 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IdentityString 

func IdentityString(pkt pktoken.PKToken) (string, error)

func Login 

func Login(ctx context.Context, provider client.OpenIdProvider) error

Login performs the OIDC login procedure and creates the SSH certs/keys in the default SSH key location.

func LoginWithRefresh 

func LoginWithRefresh(ctx context.Context, provider providers.RefreshableOpenIdProvider) error

LoginWithRefresh performs the OIDC login procedure, creates the SSH certs/keys in the default SSH key location, and continues to run and refresh the PKT (and create new SSH certs) indefinitely as its token expires. This function only returns if it encounters an error or if the supplied context is cancelled.

func ReadHome 

func ReadHome(username string) ([]byte, error)

ReadHome is used to read the home policy file for the user with the specified username. This is used when opkssh is called by AuthorizedKeysCommand as the opksshuser and needs to use sudoer access to read the home policy file (`/home/<username>/opk/auth_id`). This function is only available on Linux and Darwin because it relies on syscall.Stat_t to determine the owner of the file.

Types

type AddCmd 

type AddCmd struct {
	HomePolicyLoader   *policy.HomePolicyLoader
	SystemPolicyLoader *policy.SystemPolicyLoader

	// Username is the username to lookup when the system policy file cannot be
	// read and we fallback to the user's policy file.
	//
	// See AddCmd.LoadPolicy for more details.
	Username string
}

AddCmd provides functionality to read and update the opkssh policy file

func (*AddCmd) GetPolicyPath 

func (a *AddCmd) GetPolicyPath(principal string, userEmail string, issuer string) (string, bool, error)

GetPolicyPath returns the path to the policy file that the current command will write to and a boolean to flag the path is for home policy. True means home policy, false means system policy.

func (*AddCmd) LoadPolicy 

func (a *AddCmd) LoadPolicy() (*policy.Policy, string, error)

LoadPolicy reads the opkssh policy at the policy.SystemDefaultPolicyPath. If there is a permission error when reading this file, then the user's local policy file (defined as ~/.opk/auth_id where ~ maps to AddCmd.Username's home directory) is read instead.

If successful, returns the parsed policy and filepath used to read the policy. Otherwise, a non-nil error is returned.

func (*AddCmd) Run 

func (a *AddCmd) Run(principal string, userEmail string, issuer string) (string, error)

Run adds a new allowed principal to the user whose email is equal to userEmail. The policy file is read and modified.

If successful, returns the policy filepath updated. Otherwise, returns a non-nil error

type LoginCmd 

type LoginCmd struct {
	// contains filtered or unexported fields
}

func NewLogin 

func NewLogin(autoRefresh bool, logDir string, disableBrowserOpenArg bool, providerArg string, providerFromLdFlags providers.OpenIdProvider) *LoginCmd

func (*LoginCmd) Run 

func (l *LoginCmd) Run(ctx context.Context) error

type PolicyEnforcerFunc 

type PolicyEnforcerFunc func(username string, pkt *pktoken.PKToken) error

PolicyEnforcerFunc returns nil if the supplied PK token is permitted to login as username. Otherwise, an error is returned indicating the reason for rejection

func OpkPolicyEnforcerFunc 

func OpkPolicyEnforcerFunc(username string) PolicyEnforcerFunc

OpkPolicyEnforcerAuthFunc returns an opkssh policy.Enforcer that can be used in the opkssh verify command.

type VerifyCmd 

type VerifyCmd struct {
	// PktVerifier is responsible for verifying the PK token
	// contained in the SSH certificate
	PktVerifier verifier.Verifier
	// CheckPolicy determines whether the verified PK token is permitted to SSH as a
	// specific user
	CheckPolicy PolicyEnforcerFunc
}

VerifyCmd provides functionality to verify OPK tokens contained in SSH certificates and authorize requests to SSH as a specific username using a configurable authorization system. It is designed to be used in conjunction with sshd's AuthorizedKeysCommand feature.

func (*VerifyCmd) AuthorizedKeysCommand 

func (v *VerifyCmd) AuthorizedKeysCommand(ctx context.Context, userArg string, typArg string, certB64Arg string) (string, error)

This function is called by the SSH server as the AuthorizedKeysCommand:

The following lines are added to /etc/ssh/sshd_config: 

AuthorizedKeysCommand /usr/local/bin/opkssh ver %u %k %t
AuthorizedKeysCommandUser opksshuser

The parameters specified in the config map the parameters sent to the function below. We prepend "Arg" to specify which ones are arguments sent by sshd. They are: 

%u The username (requested principal) - userArg
%k The base64-encoded public key for authentication - certB64Arg - the public key is also a certificate
%t The public key type - typArg - in this case a certificate being used as a public key

AuthorizedKeysCommand verifies the OPK PK token contained in the base64-encoded SSH pubkey; the pubkey is expected to be an SSH certificate. pubkeyType is used to determine how to parse the pubkey as one of the SSH certificate types.

This function: 1. Verifying the PK token with the OP (OpenID Provider) 2. Enforcing policy by checking if the identity is allowed to assume the username (principal) requested.

If all steps of verification succeed, then the expected authorized_keys file format string is returned (i.e. the expected line to produce on standard output when using sshd's AuthorizedKeysCommand feature). Otherwise, a non-nil error is returned.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.