-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add MFA support for SSHExecutor #348
Changes from 8 commits
1de0bee
6f108fe
50a571e
61ba55a
8579682
b4c2312
d9e781a
ce68e20
2858c81
23aba4a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -46,6 +46,14 @@ SSH Executor | |
directly passed as keyword arguments to `asyncssh` `connect` call. You can find all available parameters in the | ||
`asyncssh documentation`_ | ||
|
||
Additionally the ``SSHExecutor`` supports Multi-factor Authentication (MFA). In order to activate it, you need to | ||
add ``mfa_secrets`` as parameter to the ``SSHExecutor`` containing a list of command line prompt to TOTP secrets | ||
mappings. | ||
|
||
.. note:: | ||
The prompt can be obtained by connecting to the server via ssh in a terminal. The prompt is the text the | ||
terminal is showing in order to obtain the second factor for the ssh connection. (e.g. "Enter 2FA Token:") | ||
|
||
.. _asyncssh documentation: https://asyncssh.readthedocs.io/en/latest/api.html#connect | ||
|
||
.. content-tabs:: right-col | ||
|
@@ -60,6 +68,20 @@ SSH Executor | |
client_keys: | ||
- /opt/tardis/ssh/tardis | ||
|
||
.. rubric:: Example configuration (Using Multi-factor Authentication) | ||
|
||
.. code-block:: yaml | ||
|
||
!TardisSSHExecutor | ||
host: login.dorie.somewherein.de | ||
username: clown | ||
client_keys: | ||
- /opt/tardis/ssh/tardis | ||
mfa_secrets: | ||
- prompt: "Enter 2FA Token:" | ||
secret: "IMIZDDO2I45ZSTR6XDGFSPFDUY" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, my head is a bit hung op on having
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What about calling it mfa_config:
- prompt: "Enter 2 FA TOken:"
secret: "IMIZDDO2I45ZSTR6XDGFSPFDUY" Three colons aligned. 👍 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. However, I think mfa_config:
- prompt: "Enter 2 FA TOken:"
totp: "IMIZDDO2I45ZSTR6XDGFSPFDUY" is much better. Since it's clear that we are just supporting |
||
|
||
|
||
.. rubric:: Example configuration (`COBalD` legacy object initialisation) | ||
|
||
.. code-block:: yaml | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,19 @@ | ||
from cobald.daemon.plugins import YAMLTagSettings | ||
import yaml | ||
|
||
|
||
def enable_yaml_load(tag): | ||
def yaml_load_decorator(cls): | ||
def class_factory(loader, node): | ||
settings = YAMLTagSettings.fetch(cls) | ||
new_cls = cls | ||
if isinstance(node, yaml.nodes.MappingNode): | ||
parameters = loader.construct_mapping(node) | ||
parameters = loader.construct_mapping(node, deep=settings.eager) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is necessary since MFA is using nested lists and dictionaries, when initialised using a yaml tag. This function is only used in the unittest. In real life it will be evaluated by COBalD, which already supports eager evaluation of yaml tags. |
||
new_cls = cls(**parameters) | ||
elif isinstance(node, yaml.nodes.ScalarNode): | ||
new_cls = cls() | ||
elif isinstance(node, yaml.nodes.SequenceNode): | ||
parameters = loader.construct_sequence(node) | ||
parameters = loader.construct_sequence(node, deep=settings.eager) | ||
new_cls = cls(*parameters) | ||
return new_cls | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unrelated change. sphix was complaining about language is None.