aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md8
-rw-r--r--example-client.conf (renamed from example-client.cfg)0
-rw-r--r--example-server.conf24
-rw-r--r--example-server.json24
4 files changed, 28 insertions, 28 deletions
diff --git a/README.md b/README.md
index 48be3a3..437f61d 100644
--- a/README.md
+++ b/README.md
@@ -37,8 +37,8 @@ The user can now ssh to the production machine, and continue to ssh to any machi
# Usage
Cashier comes in two parts, a [cli](cmd/cashier) and a [server](cmd/cashierd).
-The client is configured using either a [HCL](https://github.com/hashicorp/hcl) configuration file - [example](example-client.cfg) - or command-line flags.
-The server is configured using a JSON configuration file - [example](example-server.json).
+The client is configured using either a [HCL](https://github.com/hashicorp/hcl) configuration file - [example](example-client.conf) - or command-line flags.
+The server is configured using a HCL configuration file - [example](example-server.conf).
For the server you need the following:
- A new ssh private key. Generate one in the usual way using `ssh-keygen -f ssh_ca` - this is your CA signing key. At this time Cashier supports RSA, ECDSA and Ed25519 keys. *Important* This key should be kept safe - *ANY* ssh key signed with this key will be able to access your machines.
@@ -50,11 +50,11 @@ For the server you need the following:
```
go get github.com/cashier/cmd/...
```
-2. Create a signing key with `ssh-keygen` and a [config.json](example-server.json)
+2. Create a signing key with `ssh-keygen` and a [cashierd.conf](example-server.conf)
3. Run the cashier server with `cashierd` and the cli with `cashier`.
## Using docker
-1. Create a signing key with `ssh-keygen` and a [config.json](example-server.json)
+1. Create a signing key with `ssh-keygen` and a [cashierd.conf](example-server.conf)
2. Run
```
docker run -it --rm -p 10000:10000 --name cashier -v $(pwd):/cashier nsheridan/cashier
diff --git a/example-client.cfg b/example-client.conf
index b9e8232..b9e8232 100644
--- a/example-client.cfg
+++ b/example-client.conf
diff --git a/example-server.conf b/example-server.conf
new file mode 100644
index 0000000..94c6b69
--- /dev/null
+++ b/example-server.conf
@@ -0,0 +1,24 @@
+server {
+ use_tls = true # Optional. If this is set then `tls_key` and `tls_cert` must be set
+ tls_key = "server.key" # Path to TLS key
+ tls_cert = "server.crt" # Path to TLS certificate
+ port = 443 # Port to listen on
+ cookie_secret = "supersecret" # Authentication key for the client cookie
+}
+
+auth {
+ provider = "google" # Oauth provider to use
+ oauth_client_id = "nnnnnnnnnnnnnnnn.apps.googleusercontent.com" # Oauth client ID
+ oauth_client_secret = "yyyyyyyyyyyyyyyyyyyyyy" # Oauth client secret
+ oauth_callback_url = "https://sshca.example.com/auth/callback" # Oauth callback url
+ provider_opts {
+ domain = "example.com" # Oauth-provider specific options
+ }
+}
+
+ssh {
+ signing_key = "signing_key" # Path to the CA signing secret key
+ additional_principals = ["ec2-user", "ubuntu"] # Additional principals to allow
+ max_age = "720h" # Maximum lifetime of a ssh certificate
+ permissions = ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc"] # Permissions associated with a certificate.
+}
diff --git a/example-server.json b/example-server.json
deleted file mode 100644
index 1ac84f2..0000000
--- a/example-server.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
- "server": {
- "use_tls": true,
- "tls_key": "server.key",
- "tls_cert": "server.crt",
- "port": 443,
- "cookie_secret": "supersecret"
- },
- "auth": {
- "provider": "google",
- "oauth_client_id": "nnnnnnnnnnnnnnnn.apps.googleusercontent.com",
- "oauth_client_secret": "yyyyyyyyyyyyyyyyyyyyyy",
- "oauth_callback_url": "https://sshca.example.com/auth/callback",
- "provider_opts": {
- "domain": "example.com"
- }
- },
- "ssh": {
- "signing_key": "signing_key",
- "additional_principals": ["ec2-user", "ubuntu"],
- "max_age": "720h",
- "permissions": ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc"]
- }
-}