I know comments are very lacking right now. Once things are stable I will add
proper comments. Minimal manual testing of the U2F registration API was done
with a hardware U2F key. Some of the code may need to be cleaned up later to
remove excessively long variable names...
Currently we return an error rightaway if the username/password combo is wrong.
It's difficult to do U2F without revealing either whether a user exists or
whether the password is correct. Returning error immediately reveals whether
the user/password combo is valid, while waiting until we get a signed response
from the U2F device to announce whether the user/pass combo is valid can reveal
which users exist since we need to return a keyHandle in the U2F SignRequest
and generating fake keyHandles for nonexistent users can be difficult to get
right since there is no rigid format for keyHandle.
- User tokens (signup tokens) and node nodes (provisioning tokens) are
managed via the same API calls.
- User tokens are converted to machine tokens (with Signup role)
- Static node tokens have "Expiry" date of Unix(0) i.e. Jan 1, 1970
1. `--name` setting is passed through into AuthServer as "AuthServiceName".
This will be used in UIs when there are multiple clusters, and also
in places like Google Authenticator
2. `tctl nodes ls` now lists both host name and host UUID
3. Changed `--name` setting to `--nodename` to be consistent with the
config file.
Closes#194
This commit includes refactoring and cleanup of cert authority sybsystem:
* User keys methods are deleted
* Authorities CRUD is simplified
* Lots of code removed
