sshcertauth

package

v0.0.0-...-e0113e0 Latest Latest Go to latest Published: Mar 19, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Cloud-Foundations/webauth-sshcert

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func FingerprintSHA256(key ssh.PublicKey) string
type Authenticator
- func NewAuthenticator(hostnames []string, caKeys []string) *Authenticator
type ChallengeResponseData

Constants ¶

View Source

const DefaultCreateChallengePath = "/webauth-sshcert/v1/getChallenge"

DefaultCreateChallengePath is a well known path that is suggested to be used by consumers of this library This will be used by default by clients using the client library.

View Source

const DefaultLoginWithChallengePath = "/webauth-sshcert/v1/loginWithChallenge"

DefaultLoginWithChallengePath is a well known path that is suggested to be used by consumers of this library

View Source

const ExpirationChallengeMaxAge = time.Second * 30

ExpirationChallengeMaxAge is the maximum time for a challenge to be considered valid.

Variables ¶

This section is empty.

Functions ¶

func FingerprintSHA256 ¶

func FingerprintSHA256(key ssh.PublicKey) string

FingerprintSHA256 returns the base64 encoding of the sha256 hash with the trailing equal sign removed

Types ¶

type Authenticator ¶

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator contains all the structures to authenticate using we ssh-certs for web.

func NewAuthenticator ¶

func NewAuthenticator(hostnames []string, caKeys []string) *Authenticator

NewAuthenticator returns a new Authenticator ready to authenticate usres given the hostnames and caKeys.

func (*Authenticator) CreateChallengeHandler ¶

func (a *Authenticator) CreateChallengeHandler(w http.ResponseWriter, r *http.Request) error

CreateChallengeHandler is the function that should be handleded to do the server mux in order to create the challenge.

func (*Authenticator) LoginWithChallenge ¶

func (a *Authenticator) LoginWithChallenge(r *http.Request) (string, time.Time, string, error)

LoginWithChallenge should be attached to the loginwith challenge path, it the job of how to keep the session do /do the redirect is dependent on the caller This function returns the authenticated username, expiration time of the authentication

func (*Authenticator) UnsafeUpdateCaKeys ¶

func (a *Authenticator) UnsafeUpdateCaKeys(caKeys []string) error

UnsafeUpdateCaKeys is a function to be used only in the special case where the server does not know all the trusted keys at server initialization time As the name indicates, you should not call this unless you have areally good reason. This function is NOT safe to be called from multiple goroutines or after the first call any handler provided by this package.

type ChallengeResponseData ¶

type ChallengeResponseData struct {
	Challenge                 string   `json:"challenge"`
	AllowedIssuerFingerprints []string `json:"allowed_issuer_fingerprints,omitempty"`
}

ChallengeResponseData is the json struct of the response when requesting a challenge from the Server

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL