Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feat(cli): Support using brokered private key in ssh subcommand #2267

Merged
merged 6 commits into from
Jul 20, 2022
Merged

feat(cli): Support using brokered private key in ssh subcommand #2267

merged 6 commits into from
Jul 20, 2022

Conversation

louisruch
Copy link
Collaborator

No description provided.

@louisruch louisruch requested a review from jefferai July 19, 2022 19:20
@github-actions github-actions bot added the core label Jul 19, 2022
@louisruch louisruch force-pushed the louis-ssh-brokered-key branch from 238f054 to fef22f0 Compare July 20, 2022 02:31
@louisruch
Copy link
Collaborator Author

louisruch commented Jul 20, 2022
edited
Loading

@jefferai lets chat about this in the morning, I figured a very structured credential would allow us to control when we consume a credential. This allows us to in the future to have multiple steps that each look for a type of credential and then can decide to use it or not.

So results from testing, first using boundary connect both are displayed. Please note I pointed the default target to a test server I use...

$ boundary connect -target-id ttcp_1234567890

Proxy listening information:
  Address:             127.0.0.1
  Connection Limit:    -1
  Expiration:          Wed, 20 Jul 2022 03:35:22 PDT
  Port:                43195
  Protocol:            tcp
  Session ID:          s_WxZMBtmG4r

  Credentials:
    Credential Source ID:   clvlt_r0n9GYea15
    Credential Source Name: Super secret lib 1
    Credential Store ID:    csvlt_mN7rvMGM8A
    Credential Store Type:  vault
    Credential Type:        ssh_private_key
    Secret:
          private_key:   ---redacted---
          username:      louisruch
  Credentials:
    Credential Source ID:   clvlt_vDQT2wUk25
    Credential Source Name: Super secret lib
    Credential Store ID:    csvlt_mN7rvMGM8A
    Credential Store Type:  vault
    Credential Type:        username_password
    Secret:
          password:   pass
          username:   test

Second using the helper ssh. It uses and does not display the private_key but does display the username password cred

$ boundary connect ssh -target-id ttcp_1234567890
Credentials:
  Credential Source ID:   clvlt_vDQT2wUk25
  Credential Source Name: Super secret lib
  Credential Store ID:    csvlt_mN7rvMGM8A
  Credential Store Type:  vault
  Credential Type:        username_password
  Secret:
        password:   pass
        username:   test
                   .-"-.
   *       (   +  /     \ . )
        )   )     |#    |  (   *
    .  (      .    \___/         .         JOIN US IN 'com' to CHAT for a
   +   .-"-.    *   /^    +  (           Special event anytime Pacific Time
      /     \  )   (  .-"-.    )  +
   .  |#    | (    * /     \  (  )
       \___/   )  (  |#    |    (  '    -+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-
    *   /^         )  \___/             - The 3B2/500 will continue to run  -
       (    *  '  (     ^\   *  '      -- from Apr 20th - Jun 30th 2022 to  --
   .    \     , , , , , ' \       +     -    celebrate these 2 events:      -
         )    | | | | |    ) .          -+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-
     *    . @%@%@%@%@%@%@ (    )          * VCF East Apr 22nd - Apr 24th  *
     (      {   happy   }  \  (   *       * SDF 35th Birthday Jun 16th    *
      ) *   { birthday! }   )    (        * ----------------------------- *
   *   '    @%@%@%@%@%@%@     ' *  )      * ----------------------------- *
     (    @%@%@%@%@%@%@%@%@       ) '     * ----------------------------- *
   +      {    SDF 35!    }  *   (      -+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-
          {  1987 - 2022  }    .    )   -  Please feel free to visit there! -
    jgs   {    June 16    }        (    -+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-
  *      @%@%@%@%@%@%@%@%@%@    +

@louisruch
Copy link
Collaborator Author

louisruch commented Jul 20, 2022
edited
Loading

@jefferai

$ boundary targets authorize-session -id ttcp_1234567890

Target information:
  Authorization Token:
  9RcST1sxZC4u8nQH2J3u5nNy1gi4JWHCZ1PC8ZpJkNvLqhpaToUhAZK3uYg8PQ9z5spkNu7ZCGaRv7Rd4Lc3PnLcLG1eAi92prVgiukRWVTPUpXkjhPWm8LuRXQjrdQrn2RtLHnFyNDPGTKGptSytjjkG5fK76J6QAbJMhSQcHGEvRhSb31UYTZXMmu7Joya3iUNf9PqTtuAHvYokTrw9PdJRLMQoKJfvsoN8yXEn8yEnEiEGfhK6drERCtRfcXuyVaUv8RQWfYi2NvhzYyaRNvgv1BDXKBcyg4hB6JPJ4iwBCV65XoJCLbUewMj3oxfm5PgyLRTsGJVq2aNS3Po93V9M7LA4bxCjziXtZguEP7CfrxobL4Y9iYupFQPMmUZa4fDLxuh6WbhQ4pSpAR9NYA1kTVCdECWh45bDssVWdzdg67ExmPVEC4dcVffmngMZAbQV3UnYzKGNStgP6E9avEFfhGJtscXtdjpUKehmvzq5N7njBbdnEvZxMDqdQ879zXXaCB57rdDwg2CGg25sS2C8VSzHBUfNhuiPnP2Qif2QRLjBVRzzMHxqDfZ3Z5xfxAXHgZzaYHN6M6kSJxtyWTcZopkmb3hXVnLvAMtRJKkWs5aQ3A694aQbPaD7vF692ys7oWaMp3ds69AVXVSvHoZfkcaCvU3qSg2adwr9UJPriaWbCZmF8xmmW9wgNvNB9JDej3mrufkRnFWniqqz1jpETyQgyZKzbyoJeo3tZqE2Kj8JRscyvvma4A6K8meGjMqxEa3ujQ9NeZiffiYcNk2B7XynjHtg1Huc95eLmmNA44upGMzhdJPezXBryMhJ7kgkFjXYmvCee9Cf4M
  Created Time:          Wed, 20 Jul 2022 13:52:40 PDT
  Endpoint:              tcp://localhost:22
  Host ID:               hst_1234567890
  Scope ID:              p_1234567890
  Session ID:            s_RIn1fpbvfr
  Target ID:             ttcp_1234567890
  Type:                  tcp
  User ID:               u_1234567890

  Credentials:
    Credential Store ID:           csst_Me8zrNoRAi
    Credential Source ID:          credup_k4wrhahPQ5
    Credential Source Type:        static
    Credential Source Name:        My-brokered-cred
    Credential Source Description: How to describe a rose
    Credential Type:               username_password
    Secret:
      password:   pass
      username:   louis

    Credential Store ID:           csst_Me8zrNoRAi
    Credential Source ID:          credup_kWBFCclKl2
    Credential Source Type:        static
    Credential Source Name:        My-brokered-cred1
    Credential Source Description: How to describe a rose
    Credential Type:               username_password
    Secret:
      password:   pass
      username:   louis

    Credential Store ID:           csst_Me8zrNoRAi
    Credential Source ID:          credup_nO1DigLSne
    Credential Source Type:        static
    Credential Source Name:        My-brokered-cred2
    Credential Source Description: How to describe a rose
    Credential Type:               username_password
    Secret:
      password:   pass
      username:   louis


$ boundary connect  -target-id ttcp_1234567890

Proxy listening information:
  Address:             127.0.0.1
  Connection Limit:    -1
  Expiration:          Wed, 20 Jul 2022 21:51:24 PDT
  Port:                34437
  Protocol:            tcp
  Session ID:          s_l1LDg32Bw8

  Credentials:
    Credential Source Description: How to describe a rose
    Credential Source ID:          credup_k4wrhahPQ5
    Credential Source Name:        My-brokered-cred
    Credential Store ID:           csst_Me8zrNoRAi
    Credential Store Type:         static
    Credential Type:               username_password
    Secret:
          password:   pass
          username:   louis

    Credential Source Description: How to describe a rose
    Credential Source ID:          credup_kWBFCclKl2
    Credential Source Name:        My-brokered-cred1
    Credential Store ID:           csst_Me8zrNoRAi
    Credential Store Type:         static
    Credential Type:               username_password
    Secret:
          password:   pass
          username:   louis

    Credential Source Description: How to describe a rose
    Credential Source ID:          credup_nO1DigLSne
    Credential Source Name:        My-brokered-cred2
    Credential Store ID:           csst_Me8zrNoRAi
    Credential Store Type:         static
    Credential Type:               username_password
    Secret:
          password:   pass
          username:   louis


$ boundary connect ssh -target-id ttcp_1234567890
Credentials:
  Credential Source Description: How to describe a rose
  Credential Source ID:          credup_k4wrhahPQ5
  Credential Source Name:        My-brokered-cred
  Credential Store ID:           csst_Me8zrNoRAi
  Credential Store Type:         static
  Credential Type:               username_password
  Secret:
        password:   pass
        username:   louis

  Credential Source Description: How to describe a rose
  Credential Source ID:          credup_kWBFCclKl2
  Credential Source Name:        My-brokered-cred1
  Credential Store ID:           csst_Me8zrNoRAi
  Credential Store Type:         static
  Credential Type:               username_password
  Secret:
        password:   pass
        username:   louis

  Credential Source Description: How to describe a rose
  Credential Source ID:          credup_nO1DigLSne
  Credential Source Name:        My-brokered-cred2
  Credential Store ID:           csst_Me8zrNoRAi
  Credential Store Type:         static
  Credential Type:               username_password
  Secret:
        password:   pass
        username:   louis

And finally if we consume one credential in sshpass

$ boundary connect ssh -style sshpass -target-id ttcp_1234567890
Credentials:
  Credential Source Description: How to describe a rose
  Credential Source ID:          credup_kWBFCclKl2
  Credential Source Name:        My-brokered-cred1
  Credential Store ID:           csst_Me8zrNoRAi
  Credential Store Type:         static
  Credential Type:               username_password
  Secret:
        password:   pass
        username:   louis

  Credential Source Description: How to describe a rose
  Credential Source ID:          credup_nO1DigLSne
  Credential Source Name:        My-brokered-cred2
  Credential Store ID:           csst_Me8zrNoRAi
  Credential Store Type:         static
  Credential Type:               username_password
  Secret:
        password:   pass
        username:   louis

@louisruch louisruch merged commit 7d1a989 into main Jul 20, 2022
@louisruch louisruch deleted the louis-ssh-brokered-key branch July 20, 2022 22:17
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jefferai jefferai jefferai approved these changes

Assignees
No one assigned
Labels
core
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@louisruch @jefferai