dustin/sshca-cli/pipeline/head This commit looks goodDetails
Since the *openidconnect* dependency was added before the
`native-tls`/`rustls` features, it was hard coded to use native TLS.
This needs to be conditional based on the application's selected TLS
feature.
The `sshca-cli user login` command now requests a signed certificate
from the SSHCA server. Given a valid OpenID Connect identity token and
an SSH public key, the server will return a signed certificate, valid
for a predetermined (usually short) period of time. The principals
listed in the certificate are derived from the ID token.
The `rustls` feature will enable building with [rustls] instead of
OpenSSL. This will make it so the `sshca-cli` binary can be statically
linked, and thus distributable as a single file.
[rustls]: https://github.com/rustls/rustls
The `sshca user login` command will eventually provide the command-line
interface for obtaining user SSH certificates. It initiates the OAuth2
login process, retreiving an OpenID Connect Identity Token from the
OpenID Server. This token will be submitted to the SSHCA server to
authorize a request to sign a certificate. For now, though, the token
is printed to standard output, e.g. to be used in a `curl` request.
The CLI tool will be the primary method for interacting with the SSH CA
service. For now, it supports a single operation: `sshca-cli host
sign`, which requests a certificate to be signed by the CA service.`
Dustin