Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add remove_instance_name config to CLI and mount config #68

Merged
merged 5 commits into from Aug 4, 2022
Merged

Add remove_instance_name config to CLI and mount config #68

merged 5 commits into from Aug 4, 2022

Conversation

jasonodonnell
Copy link
Contributor

@jasonodonnell jasonodonnell commented Jul 26, 2022
edited

It's not uncommon when generating keytab files for users to include hostnames in the service principal name, for example:

ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 bob/hashi-J67927WY11@CORP.EXAMPLE.NET

Some users want the CLI to strip these instances if they're found while parsing the keytab during login to avoid authentication issues when searching LDAP for the user. To do this, I added a new CLI login parameter remove_instance_name, which will remove any instance names from the keytab file. It then sends the modified keytab file to Vault to be used for the login request.

Using this new parameter, a login might look like this:

$ vault login -method=kerberos \
      username=bob \
      service=HTTP/127.0.0.1 \
      realm=CORP.EXAMPLE.NET \
      keytab_path=./bob.keytab  \
      krb5conf_path=./configs/krb5.conf \
      disable_fast_negotiation=false \
      remove_instance_name=true

To enable server side trimming, I added a new config to the kerberos config, with the same name remove_instance_name:

vault write auth/kerberos/config \
    keytab=@vault.keytab.base64 \
    service_account="vault" \
    remove_instance_name=true

calvn
calvn reviewed Jul 26, 2022
View reviewed changes
cli.go Outdated Show resolved Hide resolved
cli.go Outdated Show resolved Hide resolved
austingebauer
austingebauer approved these changes Jul 27, 2022
View reviewed changes
Copy link
Member

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have enough context to contribute to the client/server side question, but the code generally LGTM.

calvn
calvn reviewed Aug 3, 2022
View reviewed changes
cli.go Outdated Show resolved Hide resolved
calvn
calvn approved these changes Aug 3, 2022
View reviewed changes
Copy link
Member

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One last nit, otherwise LGTM

@jasonodonnell jasonodonnell changed the title Add remove_instance_name config to CLI Add remove_instance_name config to CLI and mount config Aug 4, 2022
@jasonodonnell jasonodonnell merged commit 1246299 into main Aug 4, 2022
@jasonodonnell jasonodonnell deleted the remove-instance-names branch August 4, 2022 17:06
@jasonodonnell jasonodonnell mentioned this pull request Aug 4, 2022
Merged
Closed
optiz0r pushed a commit to optiz0r/vault-plugin-auth-kerberos that referenced this pull request Jan 8, 2024
@jasonodonnell
Add remove_instance_name config to CLI and mount config (hashicorp#68) (
68d59e5 
hashicorp#69)

* Add remove_instance_name config to CLI

* Add server side processing

* Remove trimming from username

* Remove redundant check for trimming

* Also split username serverside
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

@austingebauer austingebauer austingebauer approved these changes

@fairclothjm fairclothjm Awaiting requested review from fairclothjm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jasonodonnell @calvn @austingebauer