Merge branch 'dev'

Merge brnach dev

.release

@@ -1,2 +1,2 @@
-release=0.2.1
-tag=0.2.1
+release=0.2.2
+tag=0.2.2

README.md

@@ -3,7 +3,8 @@
 ![Docker Image Size (latest by date)](https://img.shields.io/docker/image-size/dbsentry/keyper)
 ![GitHub issues](https://img.shields.io/github/issues/mlgupta/keyper-docker)
 ![GitHub last commit](https://img.shields.io/github/last-commit/mlgupta/keyper-docker)
-![GitHub](https://img.shields.io/github/license/mlgupta/keyper-docker)  
+![GitHub](https://img.shields.io/github/license/mlgupta/keyper-docker)
+![Docker Pulls](https://img.shields.io/docker/pulls/dbsentry/keyper)  
 ![Keyper Architecture](https://keyper.dbsentry.com/media/keyper.png)  
 
 Keyper is an SSH Key/Certificate Authentication Manager. It standardizes and centralizes the storage of SSH public keys and SSH Public Certificates for all Linux users within your organization saving significant time and effort it takes to manage SSH public keys and certificates. Keyper is a lightweight container taking less than 100MB. It is launched either using Docker or Podman. You can be up and running within minutes instead of days.
@@ -14,6 +15,7 @@ Features include:
 - Certificate signing and storage
 - Public Key/Certificate Expiration
 - Forced Key rotation
+- Key Revocation List (KRL)
 - Streamlined provision or de-provisioning of users
 - Segmentation of Servers using groups
 - Policy definition to restrict user's access to server(s)

container/service/gunicorn/startup.sh

@@ -23,7 +23,7 @@ log-helper info "Setting UID/GID for nginx to ${NGINX_UID}/${NGINX_GID}"
 [ "$(id -u nginx)" -eq ${NGINX_UID} ] || usermod -u ${NGINX_UID} -g ${NGINX_GID} nginx
 
 cd /container/service/gunicorn/assets
-mv keyper /var/www
+[ -d keyper ] && mv keyper /var/www
 cd /var/www
 
 [ -d ${SSH_CA_DIR} ] || mkdir ${SSH_CA_DIR}

container/service/nginx/assets/scripts/auth.sh.txt

@@ -19,10 +19,6 @@
 #              parameter. It is set using %u on AuthorizedKeysCommand       #
 # 2. fingerprint: SSH Key finger print. It is an optional parameter. It is  #
 #                 set using %f on AuthorizedKeysCommand                     #    
-# 3. key: SSH Key. It is an optional parameter. It is set using %k on       #
-#         AuthorizedKeysCommand                                             #                          
-# 4. key_type: SSH Key type. It is an optional parameter. It is set using   #
-#              %t on AuthorizedKeysCommand                                  #                          
 # - Deploy this script under /etc/ssh (or corresponding location in your    #
 #   distro).                                                                #
 # - Rename it as auth.sh, and make sure it is owned by root and is          #
@@ -32,7 +28,7 @@
 # - Adjust KEYPER_HOST per the hostname and port.                           #
 # - Adjust HTTP protocol to http or https per your configuration of keyper. #
 # - Add following lines to sshd_config file (%f is optional)                #
-#    AuthorizedKeysCommand /bin/sh /etc/ssh/auth.sh %u %f %k %t             #
+#    AuthorizedKeysCommand /bin/sh /etc/ssh/auth.sh %u %f                   #
 #    AuthorizedKeysCommandUser root                                         #
 # - Make sure that HOST is set to the hostname defined in keyper console.   #
 # - Restart sshd                                                            #
@@ -43,8 +39,6 @@
 #############################################################################
 USER="$1"
 FP="$2"
-KEY="$3"
-KEY_TYPE="$4"
 HOST=`hostname`
 KEYPER_HOST={{HOSTNAME}}
 
@@ -53,7 +47,6 @@ CURL_ARGS="${CURL_ARGS} --data-urlencode username=${USER}"
 CURL_ARGS="${CURL_ARGS} --data-urlencode host=${HOST}"
 
 [ -z ${FP} ] || CURL_ARGS="${CURL_ARGS} --data-urlencode fingerprint=${FP}"
-[ -z ${KEY} ] || CURL_ARGS="${CURL_ARGS} --data-urlencode key=${KEY_TYPE}#${KEY}"
 
 ## Use this if you want to get public keys using HTTP GET
 curl -G ${CURL_ARGS} http://${KEYPER_HOST}/api/authkeys

container/service/nginx/assets/scripts/authprinc.sh.txt

@@ -19,10 +19,8 @@
 #              parameter. It is set using %u on AuthorizedKeysCommand       #
 # 2. fingerprint: SSH Key finger print. It is an optional parameter. It is  #
 #                 set using %f on AuthorizedKeysCommand                     #    
-# 3. key: SSH Key. It is an optional parameter. It is set using %k on       #
-#         AuthorizedKeysCommand                                             #                          
-# 4. key_type: SSH Key type. It is an optional parameter. It is set using   #
-#              %t on AuthorizedKeysCommand                                  #                          
+# 3. serial: Certificate Serial No. It is set using %s on                   #   
+#         AuthorizedPrincipalsCommand                                       #                          
 # - Deploy this script under /etc/ssh (or corresponding location in your    #
 #   distro).                                                                #
 # - Rename it as authprinc.sh, and make sure it is owned by root and is     #
@@ -32,28 +30,27 @@
 # - Adjust KEYPER_HOST per the hostname and port.                           #
 # - Adjust HTTP protocol to http or https per your configuration of keyper. #
 # - Add following lines to sshd_config file (%f is optional)                #
-#    AuthorizedPrincipalsCommand /bin/sh /etc/ssh/authprinc.sh %u %f %k %t  #
+#    AuthorizedPrincipalsCommand /bin/sh /etc/ssh/authprinc.sh %u %f %s     #
 #    AuthorizedPrincipalsCommandUser root                                   #
 # - Make sure that HOST is set to the hostname defined in keyper console.   #
 # - Restart sshd                                                            #
 # - Test script by invoking it on CLI                                       #
-#   # /etc/ssh/authprinc.sh <username> <fingerprint>                        #
+#   # /etc/ssh/authprinc.sh <username> <fingerprint> <serial>               #
 # - Above must return a princiapl name for user                             #
 #                                                                           #
 #############################################################################
 USER="$1"
 FP="$2"
 HOST=`hostname`
-KEY="$3"
-KEY_TYPE="$4"
+SERIAL="$3"
 KEYPER_HOST={{HOSTNAME}}
 
 CURL_ARGS="-s -q -f -m 7"
 CURL_ARGS="${CURL_ARGS} --data-urlencode username=${USER}"
 CURL_ARGS="${CURL_ARGS} --data-urlencode host=${HOST}"
 
 [ -z ${FP} ] || CURL_ARGS="${CURL_ARGS} --data-urlencode fingerprint=${FP}"
-[ -z ${KEY} ] || CURL_ARGS="${CURL_ARGS} --data-urlencode cert=${KEY_TYPE}#${KEY}"
+[ -z ${SERIAL} ] || CURL_ARGS="${CURL_ARGS} --data-urlencode serial=${SERIAL}"
 
 ## Use this if you want to get public keys using HTTP GET
 curl -G ${CURL_ARGS} http://${KEYPER_HOST}/api/authprinc

container/service/nginx/startup.sh

@@ -23,9 +23,9 @@ log-helper info "Setting UID/GID for nginx to ${NGINX_UID}/${NGINX_GID}"
 [ "$(id -u nginx)" -eq ${NGINX_UID} ] || usermod -u ${NGINX_UID} -g ${NGINX_GID} nginx
 
 cd /container/service/nginx/assets
-mv keyper-fe /var/www
-mv scripts /var/www
-mv docs /var/www
+[ -d keyper-fe ] && mv keyper-fe /var/www
+[ -d scripts ] && mv scripts /var/www
+[ -d docs ] && mv docs /var/www
 cd /var/www
 chown -R nginx:nginx keyper-fe scripts docs
 
@@ -34,7 +34,7 @@ sed -i "s/{{HOSTNAME}}/${HOSTNAME}/g" auth.sh.txt
 sed -i "s/{{HOSTNAME}}/${HOSTNAME}/g" authprinc.sh.txt
 
 cd /container/service/nginx/assets/etc/conf.d
-mv default.conf /etc/nginx/conf.d
+[ -f default.conf ] && mv default.conf /etc/nginx/conf.d
 
 [ -d /etc/nginx/certs ] || mkdir /etc/nginx/certs
 cp /container/service/nginx/assets/certs/* /etc/nginx/certs