bless_client.py: fix argv unpacking when using a kmsauth token #63
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
acmcelwee
added a commit
to datadotworld/bless
that referenced
this pull request
Nov 29, 2018
* Allows username validation against IAM groups This change gives the option to validate the remote username against the IAM groups containing the user invoking the lambda function. This is an optional feature which is used in conjunction with kmsauth. For example, if there were two groups of users, you could put your admins in the ssh-admin IAM group to allow them to generate certificates with a remote_username of 'admin'. Users with fewer permissions could be in the ssh-user group to allow them to generate certificates for the 'user' account. The group name is configurable, however they must all be in a consistent format, and must all contain the relevant remote_username once. * Compressed CA private key support * Fixing Netflix#72 thanks @Immortalin and @tuxinaut . * Add support for loading ED25519 public keys * Add certificate builder and test ED25519 signed by RSA * Allowing BLESS lambda to accept ed25519 keys, completing https://gith… (Netflix#74) * Allowing BLESS lambda to accept ed25519 keys, completing Netflix#71 . Thanks @jnewbigin . * Moving BLESS to python 3.6. (Netflix#75) * Moving BLESS to python 3.6. You just need to rebuild, publish, and switch your lambda runtime from 2.7 to 3.6. * Moving TravisCI to Python3.6 as well. * bless_client.py: fix argv unpacking when using a kmsauth token (Netflix#63) * Add the FileSync flag to the zip command (Netflix#76) * Make lambda_configs dir optional for publish make target (Netflix#69) * Adding a blacklisted remote_usernames option. This would prevent particular SSH Authorized Principals from being included in a BLESS certificate. * Refactored BLESS to cache KMS decrypt results for the ca private key password. * Bumping to Release v.0.3.0 Features include: Python 3.6 Lambda support Caching of the KMS decrypted CA Private Key Password. Compressed CA Private Key support, allowing RSA 4096 keys to be set in the Lambda Environment. Issue certificates for ED25519 public keys (RSA CA). New option to validate the remote username against the IAM groups of the calling user. Updated dependencies.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.