Skip to content

Comments

Add support for signing ED25519 public keys#71

Merged
russell-lewis merged 2 commits intoNetflix:masterfrom
jnewbigin:ed25519
Jul 13, 2018
Merged

Add support for signing ED25519 public keys#71
russell-lewis merged 2 commits intoNetflix:masterfrom
jnewbigin:ed25519

Conversation

@jnewbigin
Copy link

@jnewbigin jnewbigin commented Jun 10, 2018

I added support for ED25519 for our project which uses the bless library but integrating with Okta.
Tests pass and works for our project but I have not done integration tests in AWS.

@russell-lewis
Copy link
Contributor

russell-lewis commented Jun 14, 2018

At first glance, this PR looks really good, so thank you! I'll take a closer look, try things out, and merge this when I can.

@russell-lewis
Copy link
Contributor

russell-lewis commented Jul 13, 2018

Finally got a chance to take a closer look at this PR. It looks great, thanks. There is one error I'll fix in a follow up commit.

@russell-lewis russell-lewis merged commit f1e2a30 into Netflix:master Jul 13, 2018
russell-lewis added a commit to russell-lewis/bless that referenced this pull request Jul 13, 2018
@russell-lewis
Allowing BLESS lambda to accept ed25519 keys, completing Netflix#71 .…
0de13c4 
… Thanks @jnewbigin .
russell-lewis added a commit that referenced this pull request Jul 14, 2018
@russell-lewis
Allowing BLESS lambda to accept ed25519 keys, completing https://gith… (
ba55021 
#74)

* Allowing BLESS lambda to accept ed25519 keys, completing #71 .  Thanks @jnewbigin .
acmcelwee added a commit to datadotworld/bless that referenced this pull request Nov 29, 2018
@acmcelwee
Merge upstream changes (#2)
ef09738 
* Allows username validation against IAM groups

This change gives the option to validate the remote username against
the IAM groups containing the user invoking the lambda function. This
is an optional feature which is used in conjunction with kmsauth.

For example, if there were two groups of users, you could put your
admins in the ssh-admin IAM group to allow them to generate certificates
with a remote_username of 'admin'. Users with fewer permissions could be
in the ssh-user group to allow them to generate certificates for the 'user'
account.

The group name is configurable, however they must all be in a consistent
format, and must all contain the relevant remote_username once.

* Compressed CA private key support

* Fixing Netflix#72 thanks @Immortalin and @tuxinaut .

* Add support for loading ED25519 public keys

* Add certificate builder and test ED25519 signed by RSA

* Allowing BLESS lambda to accept ed25519 keys, completing https://gith… (Netflix#74)

* Allowing BLESS lambda to accept ed25519 keys, completing Netflix#71 .  Thanks @jnewbigin .

* Moving BLESS to python 3.6. (Netflix#75)

* Moving BLESS to python 3.6.
You just need to rebuild, publish, and switch your lambda runtime from 2.7 to 3.6.

* Moving TravisCI to Python3.6 as well.

* bless_client.py: fix argv unpacking when using a kmsauth token (Netflix#63)

* Add the FileSync flag to the zip command (Netflix#76)

* Make lambda_configs dir optional for publish make target (Netflix#69)

* Adding a blacklisted remote_usernames option.  This would prevent particular SSH Authorized Principals from being included in a BLESS certificate.

* Refactored BLESS to cache KMS decrypt results for the ca private key password.

* Bumping to Release v.0.3.0

Features include:
Python 3.6 Lambda support
Caching of the KMS decrypted CA Private Key Password.
Compressed CA Private Key support, allowing RSA 4096 keys to be set in the Lambda Environment.
Issue certificates for ED25519 public keys (RSA CA).
New option to validate the remote username against the IAM groups of the calling user.
Updated dependencies.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jnewbigin @russell-lewis