Skip to content

Latest commit

 

History

History
93 lines (56 loc) · 3.32 KB

PLANNING.md

File metadata and controls

93 lines (56 loc) · 3.32 KB
Raw

Blocking For 1.0 Release

  • IN PROGRESS - Code review, fix up input validation and more graceful error handling plus additional testing (initially for server & session).

Planned Post 1.0 Enhancements

  • Post 1.0 code review/refactor of client code.

  • STARTED - Migrate functions (including data) into a libexec folder (eventually facilitate alternate data stores).

  • Refactor code to match coding standards as they are defined

  • Record users OpenAKC public key in their user record

Possible Future Enhancements (Suggestions)

  • "openakc totp-register" - register a TOTP (Authenticator) code

  • "openakc totp" - enable an agent session with TOTP code.

  • "openakc totp-refresh" - refresh (non-expired) key for an agent session with TOTP code.

  • "openakc explain" - reports reason for last failure, (user validataed using their OpenAKC public key in their user record)

  • "openakc promote/demote [username]" - allow administrators to grant rights to registered users(using users OpenAKC public key in their user record)

  • Write reason for authentication failure into the session record (so it may be recalled by the user, Eg. openakc explain).

  • Can we add passphrase to admin private key for making role updates?

  • Managed login / debug wrapper to help users understand why, if they are unable to connect.

  • Offer some method to push values into users shell profile, like aliases, default, or read only environment variables.

  • Allow roles to be associated with a user or hostname including wildcards.

  • Tool to allow users to query via API what is required for access to a given host, and/or to determine why they were not permitted access, (require SYSTEM (or lower?) rights so it's not publically available).

  • Move audit name/command list into a configuration file.

  • for static keys, put comment in logs to show which key it is.

  • Some kind of web interface for self service key registration?

  • Add CONTRUBUTING.md and HACKING.md - As seen here:- https://github.com/simdjson/simdjson

Archive/Completed Fixes & Changes

  • DONE - Default role definition assigned to a host with no other role config.

  • DONE - Review "key" type, can we refer to a key by some "tag" other than fingerprint. This would allow the key to be updated without editing the role config. Separate static keys from user keys in data store.

  • DONE - Key delete function.

  • DONE - Option to disable Banner and restrictions messages (Hide OpenAKC?)

  • DONE - Audit should collect sshd_config if possible.

  • DONE - Implement PREEXEC/POSTEXEC feature to allow external script to be executed before/after authentication process on server, to allow functionality such as force directory refresh for user details incase of recent group changes.

  • DONE - Review log levels due to issues with rhel8

  • DONE - Client package needs to set bins, (and sshd_config?) to be immutable, and handle resetting the flag on upgrade/removal.

  • DONE - Default role definition added to all hosts in addition to role config. Hostname = DEFAULT?

  • DONE - Fix rolefile interpreter bug (20200911).

  • DONE - Merge multiple matching permissions (Note, not all permissions can be merged - we fixate on the first one to change, and everything else has to remain the same).

  • DONE - Fix debug logging bug

  • DONE - Migrate server to systemd (/lib/systemd/system files in resources)