crypt/step-ca-cli
1
0
Fork 0
mirror of https://github.com/smallstep/cli.git synced 2025-08-09 03:22:43 +03:00
Code Activity

ssh/certificate: Generate a random UUID by default

Browse Source 
Apparently some images don't properly handle the machine-id and it ends
up not being unique. By default play it safe and generate our own UUID.
Deriving a UUID from `/etc/machine-id` is still supported. To trigger
that behavior, pass 'machine' as the `--host-id` flag.
This commit is contained in:
David Cowden
2020-03-26 17:19:53 -07:00
parent bf4af2274b
commit 8d3073d3dc
2 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
command/ssh/certificate.go
View File

@@ -120,6 +120,19 @@ $ step ssh certificate --host --sign \
internal.example.com ssh_host_ecdsa_key.pub internal.example.com ssh_host_ecdsa_key.pub
''' '''
Sign an SSH public key and generate a host certificate with a custom uuid:
'''
$ step ssh certificate --host --host-id 00000000-0000-0000-0000-000000000000 \
--sign internal.example.com ssh_host_ecdsa_key.pub
'''
Sign an SSH public key and generate a host certificate with a uuid derived
from '/etc/machine-id':
'''
$ step ssh certificate --host --host-id machine --sign \
internal.example.com ssh_host_ecdsa_key.pub
'''
Generate an ssh certificate with custom principals from an existing key pair and Generate an ssh certificate with custom principals from an existing key pair and
add the certificate to the ssh agent: add the certificate to the ssh agent:
''' '''
@@ -268,15 +281,21 @@ func certificateAction(ctx *cli.Context) error {
// All host identity certs need a URI SAN to work with our ssh API. // All host identity certs need a URI SAN to work with our ssh API.
if isHost { if isHost {
var u = uuid.Nil var u = uuid.Nil
if hostID == "" { switch hostID {
case "":
u, err = uuid.NewRandom()
if err != nil {
return errs.Wrap(err, "Unable to generate a host-id.")
}
case "machine":
u, err = deriveMachineID() u, err = deriveMachineID()
if err != nil { if err != nil {
return errs.Wrap(err, "Unable to derive a host-id. Make sure /etc/machine-id exists or pass an explicit id with --host-id.") return errs.Wrap(err, "Unable to derive a host-id. Make sure /etc/machine-id exists.")
} }
} else { default:
u, err = uuid.Parse(hostID) u, err = uuid.Parse(hostID)
if err != nil { if err != nil {
return errs.InvalidFlagValue(ctx, sshHostIDFlag.Name, hostID, "") return errs.InvalidFlagValue(ctx, sshHostIDFlag.Name, hostID, "[ machine | <UUID> ]")
} }
} }
uri, err := url.Parse(u.URN()) uri, err := url.Parse(u.URN())

5
command/ssh/ssh.go
View File

@@ -114,8 +114,9 @@ var (
} }
sshHostIDFlag = cli.StringFlag{ sshHostIDFlag = cli.StringFlag{
Name: "host-id", Name: "host-id",
Usage: `Specify a <UUID> to identify the host rather than using an auto-generated UUID derived from the machine-id.`, Usage: `Specify a <UUID> to identify the host rather than using an auto-generated UUID.
If "machine" is passed, derive a UUID from "/etc/machine-id."`,
} }
sshSignFlag = cli.BoolFlag{ sshSignFlag = cli.BoolFlag{