From 46ec48845704b54d395727441edc049b009da774 Mon Sep 17 00:00:00 2001 From: Niall Sheridan Date: Sun, 29 May 2016 14:21:36 +0100 Subject: Replace json examples with hcl examples --- README.md | 8 ++++---- example-client.cfg | 4 ---- example-client.conf | 4 ++++ example-server.conf | 24 ++++++++++++++++++++++++ example-server.json | 24 ------------------------ 5 files changed, 32 insertions(+), 32 deletions(-) delete mode 100644 example-client.cfg create mode 100644 example-client.conf create mode 100644 example-server.conf delete mode 100644 example-server.json diff --git a/README.md b/README.md index 48be3a3..437f61d 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,8 @@ The user can now ssh to the production machine, and continue to ssh to any machi # Usage Cashier comes in two parts, a [cli](cmd/cashier) and a [server](cmd/cashierd). -The client is configured using either a [HCL](https://github.com/hashicorp/hcl) configuration file - [example](example-client.cfg) - or command-line flags. -The server is configured using a JSON configuration file - [example](example-server.json). +The client is configured using either a [HCL](https://github.com/hashicorp/hcl) configuration file - [example](example-client.conf) - or command-line flags. +The server is configured using a HCL configuration file - [example](example-server.conf). For the server you need the following: - A new ssh private key. Generate one in the usual way using `ssh-keygen -f ssh_ca` - this is your CA signing key. At this time Cashier supports RSA, ECDSA and Ed25519 keys. *Important* This key should be kept safe - *ANY* ssh key signed with this key will be able to access your machines. @@ -50,11 +50,11 @@ For the server you need the following: ``` go get github.com/cashier/cmd/... ``` -2. Create a signing key with `ssh-keygen` and a [config.json](example-server.json) +2. Create a signing key with `ssh-keygen` and a [cashierd.conf](example-server.conf) 3. Run the cashier server with `cashierd` and the cli with `cashier`. ## Using docker -1. Create a signing key with `ssh-keygen` and a [config.json](example-server.json) +1. Create a signing key with `ssh-keygen` and a [cashierd.conf](example-server.conf) 2. Run ``` docker run -it --rm -p 10000:10000 --name cashier -v $(pwd):/cashier nsheridan/cashier diff --git a/example-client.cfg b/example-client.cfg deleted file mode 100644 index b9e8232..0000000 --- a/example-client.cfg +++ /dev/null @@ -1,4 +0,0 @@ -ca = "https://sshca.example.com" // Address of the cashierd CA -key_type = "rsa" // Type of ssh key to generate - rsa, ecdsa, ed25519 -key_size = 2048 // Size of key to generate. ecdsa must be one of 256, 384, 521. This value is ignored for ed25519 keys. -validity = "24h" // How long the cert will be valid for. Must be a valid go time.Duration. diff --git a/example-client.conf b/example-client.conf new file mode 100644 index 0000000..b9e8232 --- /dev/null +++ b/example-client.conf @@ -0,0 +1,4 @@ +ca = "https://sshca.example.com" // Address of the cashierd CA +key_type = "rsa" // Type of ssh key to generate - rsa, ecdsa, ed25519 +key_size = 2048 // Size of key to generate. ecdsa must be one of 256, 384, 521. This value is ignored for ed25519 keys. +validity = "24h" // How long the cert will be valid for. Must be a valid go time.Duration. diff --git a/example-server.conf b/example-server.conf new file mode 100644 index 0000000..94c6b69 --- /dev/null +++ b/example-server.conf @@ -0,0 +1,24 @@ +server { + use_tls = true # Optional. If this is set then `tls_key` and `tls_cert` must be set + tls_key = "server.key" # Path to TLS key + tls_cert = "server.crt" # Path to TLS certificate + port = 443 # Port to listen on + cookie_secret = "supersecret" # Authentication key for the client cookie +} + +auth { + provider = "google" # Oauth provider to use + oauth_client_id = "nnnnnnnnnnnnnnnn.apps.googleusercontent.com" # Oauth client ID + oauth_client_secret = "yyyyyyyyyyyyyyyyyyyyyy" # Oauth client secret + oauth_callback_url = "https://sshca.example.com/auth/callback" # Oauth callback url + provider_opts { + domain = "example.com" # Oauth-provider specific options + } +} + +ssh { + signing_key = "signing_key" # Path to the CA signing secret key + additional_principals = ["ec2-user", "ubuntu"] # Additional principals to allow + max_age = "720h" # Maximum lifetime of a ssh certificate + permissions = ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc"] # Permissions associated with a certificate. +} diff --git a/example-server.json b/example-server.json deleted file mode 100644 index 1ac84f2..0000000 --- a/example-server.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "server": { - "use_tls": true, - "tls_key": "server.key", - "tls_cert": "server.crt", - "port": 443, - "cookie_secret": "supersecret" - }, - "auth": { - "provider": "google", - "oauth_client_id": "nnnnnnnnnnnnnnnn.apps.googleusercontent.com", - "oauth_client_secret": "yyyyyyyyyyyyyyyyyyyyyy", - "oauth_callback_url": "https://sshca.example.com/auth/callback", - "provider_opts": { - "domain": "example.com" - } - }, - "ssh": { - "signing_key": "signing_key", - "additional_principals": ["ec2-user", "ubuntu"], - "max_age": "720h", - "permissions": ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc"] - } -} -- cgit v1.2.3