You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
I'd like to be able to generate ssh OTP that is associated with a hostname or other text based machine identifier instead of IP address
Currently, if i try to enter a hostname into the "IP" field on the generate credentials page, it returns an error Invalid IP "a"
for my situation, IP address is not a reliable identifier of an individual machine, each machine has multiple ip addresses, and 2 machines behind different NAT's can share an ip address, therefore one credential would work for either of them.
the machine's unique domain name would be much better to use for my situation.
Describe the solution you'd like
A clear and concise description of what you want to happen.
in the configuration page:
option 1:
new fields for "allow Domains" (checkbox)
along with the fields from SSH CA:
Allowed domains
Allowed domains template
option 2:
allow the "CIDR List" field in the role config page to accept a wildcard which means allow text
for both options, on the generate credential page, allow things other than just IP, and validate it against what is allowed in the configuration.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
potentially using the totp secrets engine, as that only requires a single request to vault for machines to generate their totp credentials (one per login username), then it can be verified offline.
(but this request requires authentication, unlike the ssh otp verify request)
also, that can use the existing pam_oath package to validate tokens, custom tool just generates the token and saves it to the relevant config file.
Explain any additional use-cases
If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
the 2 situations i want to use this for:
sudo login: sudo , enter this password instead of the root password, custom pam module checks it against vault
local login: enter username and password on login screen, custom pam module checks it against vault.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
I'd like to be able to generate ssh OTP that is associated with a hostname or other text based machine identifier instead of IP address
Currently, if i try to enter a hostname into the "IP" field on the generate credentials page, it returns an error
Invalid IP "a"for my situation, IP address is not a reliable identifier of an individual machine, each machine has multiple ip addresses, and 2 machines behind different NAT's can share an ip address, therefore one credential would work for either of them.
the machine's unique domain name would be much better to use for my situation.
Describe the solution you'd like
A clear and concise description of what you want to happen.
in the configuration page:
option 1:
new fields for "allow Domains" (checkbox)
along with the fields from SSH CA:
option 2:
allow the "CIDR List" field in the role config page to accept a wildcard which means allow text
for both options, on the generate credential page, allow things other than just IP, and validate it against what is allowed in the configuration.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
potentially using the totp secrets engine, as that only requires a single request to vault for machines to generate their totp credentials (one per login username), then it can be verified offline.
(but this request requires authentication, unlike the ssh otp verify request)
also, that can use the existing pam_oath package to validate tokens, custom tool just generates the token and saves it to the relevant config file.
Explain any additional use-cases
If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
the 2 situations i want to use this for:
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: