Expand description
SSH support for sandbox access.
When --ssh is enabled, sandboxes get an sshd configured for
certificate-only authentication. Vault or a local CA signs
ephemeral client certificates.
Structs§
- SshConfig
- SSH configuration for a sandbox
Functions§
- generate_
ca_ keypair - Generate an ed25519 CA keypair for the built-in (non-Vault) path.
- generate_
client_ keypair - Generate an ephemeral ed25519 client keypair.
- generate_
sshd_ config - Generate an sshd_config string for certificate-only authentication.
- get_
vault_ ca_ public_ key - Fetch the CA public key from Vault’s SSH secrets engine.
- parse_
ttl_ to_ secs - Parse a TTL string (e.g. “30m”, “1h”, “5m”, “2h30m”) to seconds.
- sign_
client_ key - Convenience wrapper that routes to Vault or local signing based on config.
- sign_
client_ key_ local - Sign a client public key with a local CA private key.
- sign_
client_ key_ vault - Sign a client public key via Vault SSH secrets engine.
- sshd_
file_ injections - Build the list of files to inject into the sandbox for SSH support.