Summary
I'd like to contribute enhanced authentication helpers to libplugin/ that add:
- SSH certificate validation against trusted CAs
- Multiple CA key sources (file, base64, Vault)
- Standardized helpers to reduce code duplication
Motivation
The current certificate authentication works but enterprise deployments need:
- Multiple CA sources - Not just files, but also inline base64 and Vault secrets
- Certificate validation helpers - Reusable
MatchAndValidateCACert() function
- Code deduplication - Same patterns repeated across yaml, docker, kubernetes plugins
Proposed Changes (Incremental PRs)
I plan to submit this as small, incremental PRs:
| Phase |
File |
Lines |
Description |
| 1 |
libplugin/sshutil.go |
~90 |
Certificate validation, known_hosts verification |
| 2 |
libplugin/skelhelpers.go |
~200 |
StandardTrustedUserCAKeys, StandardAuthorizedKeys |
| 3 |
libplugin/skelhelpers.go |
~150 |
StandardTestPassword, StandardPrivateKey |
| 4 |
libplugin/authutil.go |
~300 |
Vault integration (optional) |
| 5 |
libplugin/authutil.go |
~250 |
Multi-source aggregation |
Each PR builds on the previous and can be reviewed independently.
Questions
- Would you prefer this approach or a single larger PR?
- Is Vault integration welcome? (Can be made optional via build tags)
- Any concerns about adding helpers to libplugin?
Implementation Ready
I have working implementations tested in a fork. Happy to adjust based on feedback.
Summary
I'd like to contribute enhanced authentication helpers to
libplugin/that add:Motivation
The current certificate authentication works but enterprise deployments need:
MatchAndValidateCACert()functionProposed Changes (Incremental PRs)
I plan to submit this as small, incremental PRs:
libplugin/sshutil.golibplugin/skelhelpers.golibplugin/skelhelpers.golibplugin/authutil.golibplugin/authutil.goEach PR builds on the previous and can be reviewed independently.
Questions
Implementation Ready
I have working implementations tested in a fork. Happy to adjust based on feedback.