Vault SSH: Default lease of 5 min for SSH secrets

api/ssh.go

@@ -10,11 +10,12 @@ type SSH struct {
 	MountPoint string
 }
 
-// SSH is used to return the client for logical-backend API calls.
+// Returns the client for logical-backend API calls.
 func (c *Client) SSH() *SSH {
 	return c.SSHWithMountPoint(SSHDefaultMountPoint)
 }
 
+// Returns the client with specific SSH mount point.
 func (c *Client) SSHWithMountPoint(mountPoint string) *SSH {
 	return &SSH{
 		c:          c,
@@ -22,7 +23,7 @@ func (c *Client) SSHWithMountPoint(mountPoint string) *SSH {
 	}
 }
 
-// Invokes the SSH backend API to create a dynamic key or an OTP
+// Invokes the SSH backend API to create a credential to establish an SSH session.
 func (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error) {
 	r := c.c.NewRequest("PUT", fmt.Sprintf("/v1/%s/creds/%s", c.MountPoint, role))
 	if err := r.SetJSONBody(data); err != nil {

api/ssh_agent.go

@@ -75,10 +75,10 @@ func (c *SSHAgentConfig) TLSClient(certPool *x509.CertPool) *http.Client {
 	return &client
 }
 
-// Returns a new client for the given configuration. This client will be used
+// Returns a new client for the configuration. This client will be used by the
-// SSH agent to communicate with Vault server to verify the OTP entered by user.
+// SSH agent to communicate with Vault server and verify the OTP entered by user.
 // If the configuration supplies Vault SSL certificates, then the client will
-// have tls configured in its transport.
+// have TLS configured in its transport.
 func (c *SSHAgentConfig) NewClient() (*Client, error) {
 	// Creating a default client configuration for communicating with vault server.
 	clientConfig := DefaultConfig()
@@ -86,6 +86,7 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
 	// Pointing the client to the actual address of vault server.
 	clientConfig.Address = c.VaultAddr
 
+	// Check if certificates are provided via config file.
 	if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify {
 		var certPool *x509.CertPool
 		var err error
@@ -97,6 +98,8 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
 		if err != nil {
 			return nil, err
 		}
+
+		// Change the configuration to have an HTTP client with TLS enabled.
 		clientConfig.HttpClient = c.TLSClient(certPool)
 	}
 
@@ -105,11 +108,12 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	return client, nil
 }
 
-// Loads agent's configuration from the file and populates the corresponding
+// Load agent's configuration from the file and populate the corresponding
-// in memory structure.
+// in-memory structure. Vault address and SSH mount points required parameters.
 func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) {
 	var config SSHAgentConfig
 	contents, err := ioutil.ReadFile(path)
@@ -125,6 +129,14 @@ func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) {
 	} else {
 		return nil, err
 	}
+
+	if config.VaultAddr == "" {
+		return nil, fmt.Errorf("config missing vault_addr")
+	}
+	if config.SSHMountPoint == "" {
+		return nil, fmt.Errorf("config missing ssh_mount_point")
+	}
+
 	return &config, nil
 }
 

builtin/logical/ssh/path_creds_create.go

@@ -4,12 +4,15 @@ import (
 	"fmt"
 	"net"
 	"strconv"
+	"time"
 
 	"github.com/hashicorp/vault/helper/uuid"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
 
+const defaultSSHLeaseDuration = 5 * time.Minute
+
 type sshOTP struct {
 	Username string `json:"username"`
 	IP       string `json:"ip"`
@@ -133,6 +136,11 @@ func (b *backend) pathCredsCreateWrite(
 		result.Secret.LeaseGracePeriod = lease.LeaseMax
 	}
 
+	if lease == nil {
+		result.Secret.Lease = defaultSSHLeaseDuration
+		result.Secret.LeaseGracePeriod = 0
+	}
+
 	return result, nil
 }