New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the debug command tsh fido2 attobj
#25740
Conversation
The helper comes in handy when trying to compare registered credentials, since we don't record this information "unpacked" in other places. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think generally I don't mind tsh
being used for debugging tools - we'll need to keep an eye on binary size over time but it seems currently that building out pipelines for distributing other tooling seems quite time-consuming, so for now this seems fine.
Part of me wonders if something like tctl
is more a natural home for them for commands that an administrator might use to debug parts of their cluster, I can also envision cases where support teams are working with customer user's that do not have tctl
available - and - in many cases, debug commands may need to leverage a connection to a Proxy which tctl
does not provide for.
70ccdf7
to
416361a
Compare
PTAL @zmb3 ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested both tsh fido2
commands, they seem to work as advertised.
@codingllama See the table below for backport results.
|
* Refactor `tsh fido2` root command * Add the `tsh fido2 attobj` command * Use trace.Wrap * Log swallowed error * Make argument required
* Add the debug command `tsh fido2 attobj` (#25740) * Refactor `tsh fido2` root command * Add the `tsh fido2 attobj` command * Use trace.Wrap * Log swallowed error * Make argument required * Change imports to duo-labs
Add a helper/debug command to parse attestation objects.
Useful when inspecting MFA devices, otherwise attestation objects are rather opaque to inspect. Works directly with data acquired from
tctl get users/foo --with-secrets
.