Accumulated extensions to goatherd from I4 (!3) · Merge requests · CIP-Admins / goatherd

Simon Schuster requested to merge i4/infra/goatherd:master into master Jul 07, 2022

Some members of ICIP-guru indicated general interest in us upstreaming our internal changes to goatherd as we use it at i4.

Those changes are basically threefold:

Allow multiple secrets per user

This is handled by adding additional identities (e.g. "schuster" and "schuster/alternatekey") to goatherd. These identities are all queried when trying to authenticate for the main principal/user
Add support for TOTP keys

TOTP has the advantage that no counters have to be managed or resynced.

Note: This modifies the database layout (by adding an additional column) and sync-file format.
Add support for a "quorum_size" parameter

This allows to specify the size of the quorum, that is how many nodes have to agree for a positive authentication explicitly if desired (this is useful for setups with e.g. only two nodes. In this case, the default calculation wants a quorum of #servers/2+1, which means both have to be reachable...)

Additionally there are some minor improvements such as providing a help messages when no command-line arguments are passed or removing unnecessary dependencies from the builddeps.

Just let us know in case you are not interested or anything looks odd to you.

Edited Jul 07, 2022 by Simon Schuster

Accumulated extensions to goatherd from I4

Merge request reports