self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 17:23:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #41 from gravitational/alex/ssh-agent

Browse source 
Added time limits for certificates
This commit is contained in:
alexlyulkov 2015-10-27 17:01:39 -07:00
parent 0513cfbf00 76d09e1174
commit 1a065d9190
3 changed files with 38 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/auth/auth.go
View file

@ -139,7 +139,7 @@ func (s *AuthServer) SignIn(user string, password []byte) (*Session, error) {
if err != nil {
return nil, err
}
if err := s.UpsertWebSession(user, sess, time.Hour); err != nil {
if err := s.UpsertWebSession(user, sess, WebSessionTTL); err != nil {
return nil, err
}
return sess, nil
@ -192,7 +192,7 @@ func (s *AuthServer) NewWebSession(user string) (*Session, error) {
if err != nil {
return nil, err
}
cert, err := s.Authority.GenerateUserCert(hk.Priv, pub, user, user, 0)
cert, err := s.Authority.GenerateUserCert(hk.Priv, pub, user, user, WebSessionTTL)
if err != nil {
return nil, err
}
@ -233,5 +233,6 @@ func (s *AuthServer) DeleteWebSession(user string, sid session.SecureID) error {
}
const (
Week = time.Hour * 24 * 7
Week = time.Hour * 24 * 7
WebSessionTTL = time.Hour * 10
)

10
lib/auth/native/native.go
View file

@ -7,6 +7,8 @@ import (
"encoding/pem"
"time"
"github.com/gravitational/teleport/Godeps/_workspace/src/github.com/gravitational/trace"
"github.com/gravitational/teleport/Godeps/_workspace/src/golang.org/x/crypto/ssh"
)
@ -65,6 +67,9 @@ func (n *nauth) GenerateHostCert(pkey, key []byte, id, hostname string, ttl time
}
func (n *nauth) GenerateUserCert(pkey, key []byte, id, username string, ttl time.Duration) ([]byte, error) {
if (ttl > MaxCertDuration) || (ttl < MinCertDuration) {
return nil, trace.Errorf("wrong certificate ttl")
}
pubKey, _, _, _, err := ssh.ParseAuthorizedKey(key)
if err != nil {
return nil, err
@ -89,3 +94,8 @@ func (n *nauth) GenerateUserCert(pkey, key []byte, id, username string, ttl time
}
return ssh.MarshalAuthorizedKey(cert), nil
}
const (
MinCertDuration = time.Minute
MaxCertDuration = 30 * time.Hour
)

24
lib/auth/test/suite.go
View file

@ -48,6 +48,18 @@ func (s *AuthSuite) GenerateHostCert(c *C) {
_, _, _, _, err = ssh.ParseAuthorizedKey(cert)
c.Assert(err, IsNil)
_, err = s.A.GenerateHostCert(priv, pub, "user", "user", -20)
c.Assert(err, NotNil)
_, err = s.A.GenerateHostCert(priv, pub, "user", "user", 0)
c.Assert(err, NotNil)
_, err = s.A.GenerateHostCert(priv, pub, "user", "user", 40*time.Hour)
c.Assert(err, NotNil)
_, err = s.A.GenerateHostCert(priv, pub, "auth", "auth.example.com", time.Hour)
c.Assert(err, IsNil)
}
func (s *AuthSuite) GenerateUserCert(c *C) {
@ -59,4 +71,16 @@ func (s *AuthSuite) GenerateUserCert(c *C) {
_, _, _, _, err = ssh.ParseAuthorizedKey(cert)
c.Assert(err, IsNil)
_, err = s.A.GenerateUserCert(priv, pub, "user", "user", -20)
c.Assert(err, NotNil)
_, err = s.A.GenerateUserCert(priv, pub, "user", "user", 0)
c.Assert(err, NotNil)
_, err = s.A.GenerateUserCert(priv, pub, "user", "user", 40*time.Hour)
c.Assert(err, NotNil)
_, err = s.A.GenerateUserCert(priv, pub, "user", "user", time.Hour)
c.Assert(err, IsNil)
}