The ESS service can be accessed using two components
ess_admintool - used byadminusers to manage userslibess- used by users to authenticate from PAM linux module
In order to connect to the ESS service the admin clients must use the proper TSL certificates which can be set from:
- from command line
- using the envars:
ESS_ADMIN_ROOT_CA,ESS_ADMIN_CERTandESS_ADMIN_CERT_KEY - the last option is the
./cert/adminfolder from current working directory In order to get the admin certificate use this guide
USAGE:
ess_admin [OPTIONS] <SUBCOMMAND>
OPTIONS:
--pam This flag controls if we need to connect as PAM user. By default the
--cafile <CAFILE> Root CA file path To skip this required args set ESS_ROOT_CA envar
--cert <CERT> The admin client certificate file path To skip this required args set
ESS_ADMIN_CERT envar
--key <KEY> The admin client certificate private key file path To skip this
required args set ESS_ADMIN_CERT_KEY envar
admin connection details will be used
--url <URL> The webservice host url To skip this required args set ESS_WS_URL envar
-v, --verbose Verbose mode
-V, --version Print version information
-h, --help Print help information
SUBCOMMANDS:
add Insert user
delete Delete user
get-all Get all users
get-user Get user data by username
help Print this message or the help of the given subcommand(s)
update Update user info & secret except the username
verify Verify secret for username
USAGE:
ess_admin add [OPTIONS] --username <USERNAME>
OPTIONS:
-f, --first-name <FIRST_NAME> The user's first name [default: noname]
-l, --last-name <LAST_NAME> The user's last name [default: noname]
-q, --qr-code Return plain secret code or as QR code
-u, --username <USERNAME> The unique user name
USAGE:
ess_admin delete <USERNAME>
ARGS:
<USERNAME> The unique username
USAGE:
ess_admin update [OPTIONS] <USERNAME>
ARGS:
<USERNAME> The unique user name
OPTIONS:
-f, --first-name <FIRST_NAME> The user's first name
-l, --last-name <LAST_NAME> The user's last name
USAGE:
ess_admin get-user <USERNAME>
ARGS:
<USERNAME> The unique username
USAGE:
ess_admin get-all
USAGE:
ess_admin verify <USERNAME> <ONE_TIME_PASSWORD>
ARGS:
<USERNAME> The unique user name
<ONE_TIME_PASSWORD> The OTP code generated by the app
In order to connect to the ESS service the PAM clients must use the proper TSL certificates which can be set from:
- using the envars:
ESS_PAM_ROOT_CA,ESS_PAM_CERTandESS_PAM_CERT_KEY - or using the
./cert/pamfolder from current working directory In order to get the PAM client certificate use this guide
int verify_otp(const char *username, const char *otp);
The function returns ESS_OK or 0 on success and ESS_ERROR or non-zero value in case of an error.
const char *ess_pam_last_error_str(void);
This function should be called only if the ESS PAM API returned ESS_ERROR or other non-zero value.
If the last call succeeded the last error will be reset to "ok" string.
const char *ess_pam_version(void);
To build the components must have the cargo & rust compiler installed on the build machine.
cargo build --release
Note that the ess API header esspam.h will be generated by the cargo build.
cargo tests -- --nocapture
cargo install --path .
The preview command will install the tool in /home/<username>/.cargo/bin/.
Since the certificates must not be shared they can be installed in $HOME and
set the ESS_ADMIN_ROOT_CA, ESS_ADMIN_CERT and ESS_ADMIN_CERT_KEY envars
from .bashrc.
TBD