Vault SSH: Exposed verify request/response messges to agent

api/ssh_agent.go

@@ -16,8 +16,16 @@ import (
 	"github.com/mitchellh/mapstructure"
 )
 
+const (
 	// Default path at which SSH backend will be mounted
-const SSHAgentDefaultMountPoint = "ssh"
+	SSHAgentDefaultMountPoint = "ssh"
+
+	// Echo request message sent as OTP by the agent
+	VerifyEchoRequest = "verify-echo-request"
+
+	// Echo response message sent as a response to OTP matching echo request
+	VerifyEchoResponse = "verify-echo-response"
+)
 
 // This is a structure representing an SSH agent which can talk to vault server
 // in order to verify the OTP entered by the user. It contains the path at which

builtin/logical/ssh/path_verify.go

@@ -1,15 +1,11 @@
 package ssh
 
 import (
+	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
 
-const (
-	VerifyEchoRequest  = "verify-echo-request"
-	VerifyEchoResponse = "verify-echo-response"
-)
-
 func pathVerify(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "verify",
@@ -33,10 +29,10 @@ func (b *backend) pathVerifyWrite(req *logical.Request, d *framework.FieldData)
 	// If OTP is not a UUID and a string matching VerifyEchoRequest, then the
 	// response will be VerifyEchoResponse. This is used by agent to check if
 	// connection to Vault server is proper.
-	if otp == VerifyEchoRequest {
+	if otp == api.VerifyEchoRequest {
 		return &logical.Response{
 			Data: map[string]interface{}{
-				"message": VerifyEchoResponse,
+				"message": api.VerifyEchoResponse,
 			},
 		}, nil
 	}