From dda973d04d7cda9934a0fdd4ecb0d5055423a335 Mon Sep 17 00:00:00 2001 From: Niall Sheridan Date: Sat, 21 May 2016 21:36:00 +0100 Subject: Log the issuing of new certs --- server/signer/signer.go | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'server') diff --git a/server/signer/signer.go b/server/signer/signer.go index 854d70e..566ca98 100644 --- a/server/signer/signer.go +++ b/server/signer/signer.go @@ -1,9 +1,12 @@ package signer import ( + "crypto/md5" "crypto/rand" "fmt" "io/ioutil" + "log" + "strings" "time" "github.com/nsheridan/cashier/lib" @@ -25,16 +28,16 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (string, error) { if err != nil { return "", err } - expires := time.Now().Add(s.validity) + expires := time.Now().UTC().Add(s.validity) if req.ValidUntil.After(expires) { req.ValidUntil = expires } cert := &ssh.Certificate{ CertType: ssh.UserCert, Key: pubkey, - KeyId: req.Principal, + KeyId: fmt.Sprintf("%s_%d", req.Principal, time.Now().UTC().Unix()), ValidBefore: uint64(req.ValidUntil.Unix()), - ValidAfter: uint64(time.Now().Add(-5 * time.Minute).Unix()), + ValidAfter: uint64(time.Now().UTC().Add(-5 * time.Minute).Unix()), } cert.ValidPrincipals = append(cert.ValidPrincipals, req.Principal) cert.ValidPrincipals = append(cert.ValidPrincipals, s.principals...) @@ -45,6 +48,7 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (string, error) { marshaled := ssh.MarshalAuthorizedKey(cert) // Remove the trailing newline. marshaled = marshaled[:len(marshaled)-1] + log.Printf("Issued cert %s principals: %s fp: %s valid until: %s\n", cert.KeyId, cert.ValidPrincipals, fingerprint(pubkey), time.Unix(int64(cert.ValidBefore), 0).UTC()) return string(marshaled), nil } @@ -86,3 +90,10 @@ func New(conf config.SSH) (*KeySigner, error) { permissions: makeperms(conf.Permissions), }, nil } + +func fingerprint(pubkey ssh.PublicKey) string { + md5String := md5.New() + md5String.Write(pubkey.Marshal()) + fp := fmt.Sprintf("% x", md5String.Sum(nil)) + return strings.Replace(fp, " ", ":", -1) +} -- cgit v1.2.3