Skip to content

v1.2.2

Latest
Latest

Choose a tag to compare

View all tags
@marcvs marcvs released this 09 Apr 08:21
· 6 commits to master since this release
v1.2.2
505bed3

Changelog since v1.2.0

oinit-ca

  • Configurable certificate principals (cert-principals): space-separated list with $provisioned-user substitution; oinit is always
    included
  • Configurable force-command (force-command): supports $cert-principals and $provisioned-user substitution; defaults to oinit-switch
    $cert-principals
  • Provisioning toggle (provision-user): when false, calls motley_cue's /user/get_status (token validation only) instead of
    /user/deploy; requires default-user to be set
  • Fixed username (default-user): used as certificate username when provision-user = false
  • Non-JWT token support: CA accepts client-provided issuer in the certificate request; falls back to JWT iss claim, then motley_cue
    response, then client-supplied value
  • Userinfo endpoint lookup: when sub is still unknown after JWT/motley_cue parsing, the OP's userinfo endpoint is queried via
    .well-known/openid-configuration
  • CA discovery HTTPS fallback: if DNS TXT lookup fails, probes https:///oinit/ before giving up
  • Health endpoint: added GET /health for Docker Compose health checks
  • cert-validity-fallback: new config option for tokens without an exp claim (e.g. Google)
  • Listen address configurable via -l flag or listen-address in config
  • KeyId now encodes sub @ iss -> username for audit logging
  • FLAAT error format parsed from motley_cue error responses

oinit (client)

  • File-based certificate storage: falls back to ~/.ssh/oinit__-cert.pub when ssh-agent is unavailable or gpg-agent is
    detected
  • Issuer tracking: the OIDC provider URL (from oidc-agent selection) is passed to the CA; OIDC_ISS/OIDC_ISSUER env vars used when
    token comes from environment/file
  • Manual token prompt: when oidc-agent is not running, lists supported providers and prompts for an access token
  • gpg-agent detection: detected via GPG_AGENT_INFO and SSH_AUTH_SOCK path patterns; uses file storage instead
  • CA discovery: improved logging distinguishes DNS TXT vs HTTPS discovery

oinit-switch

  • Multi-principal support: accepts the full principals list as arguments (oinit-switch alice git); switches to the first non-self,
    non-system user
  • Same-user shortcut: if current user is in the principals list, execs the login shell directly (avoiding su and its password prompt)
  • $SHELL used for same-user case instead of parsing /etc/passwd

oinit-shell

  • Relaxed argument check to allow multiple arguments to oinit-switch
Assets 2
Loading