- min-encryption-password-length
- provisioner
Enforce min-encryption-password-length, if set, in the 'step ssh
certificate' command.
Add flags.FirstStringOf returns value of first defined flag in input list
This commit adds the `--console` flag to the following commands:
* `step ssh certificate`
* `step ssh config`
* `step ssh hosts`
* `step ssh login`
* `step ssh proxycommand`
* Allow users to define certificate comment in agent
Added a comment flag which allows users to set the comment for a
certificate when it gets added to an agent. It defaults to current
behavior if not set, which is it uses the subject as the comment.
This allows users who interact with mutliple CAs with the same
identity (email) to have multiple certificates in the agent. It
also allows for use cases when users generate SSH certs with different
extensions to load multiple certificates in their agent.
This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.
The confirmation claim is implemented in the token command as well as
the com commands that uses a given CSR or ssh public key. Those are:
- step ca token
- step ca sign
- step ssh certificate --sign
Fixessmallstep/certificates#1637
For user certificates, if an email is passed as a principal, include
in the principals list the email, and the local-part. This imitates
the behavior for OIDC provisioners on other provisioners like JWK.
On `step ssh certificate` we will only include them if no principals
are passed using the `--principal` flag.
Fixes#389
If the user re-runs the `ssh certificate` command, try to pull the
host-id out of a previous identity cert. This will make it less annoying
for someone who runs the command not knowing that it will clobber their
old host-id and result in a new host (requireing them to also
re-register).
Apparently some images don't properly handle the machine-id and it ends
up not being unique. By default play it safe and generate our own UUID.
Deriving a UUID from `/etc/machine-id` is still supported. To trigger
that behavior, pass 'machine' as the `--host-id` flag.
The short of it is that blake2b is designed to be a MAC. So let's use it
instead of worrying about whether we've used hmac|sha256 with a big
enough key, etc.
Add error details and inform the user if the try to pass `--host-id` but
have not specified `--host`. Also add a hint about what the potental
problem could be and a resolution option when we can't derive a host-id
from '/etc/machine-id'.
Alternatively, allow the user to specify their own UUID. Adding an ID
derived from the machine ID allows us to authorize hosts to access their
own resources by ID. The machine-id is not supposed to be sent around as
a raw UUID. So we HMAC it with an application "secret" and use the first
sixteen bytes of the resulting sha256 sum to as the entropy source when
generating a new "random" UUIDv4.
