From 882c473d2b29c18732b2be2442a9d1625f4184c7 Mon Sep 17 00:00:00 2001
From: Yann Verry <yann+github@verry.org>
Date: Sun, 5 May 2019 22:17:20 +0200
Subject: [PATCH] Add readme and unsupport DSA

---
 README.md             | 23 +++++++++++++++++++++++
 vault-cert-openssh.py | 22 +---------------------
 2 files changed, 24 insertions(+), 21 deletions(-)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..5fb07b9
--- /dev/null
+++ b/README.md
@@ -0,0 +1,23 @@
+# Vault Certificate OpenSSH
+
+This script check your current certificate expiration and ask to sign on your vault if needed
+
+## Usage
+
+### Vault
+
+On your vault server you need to follow this documentation: https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html
+
+### SSH Wrapper
+
+Before each SSH connection add this wrapper command: 
+```bash
+python vault-cert-openssh.py ~/.ssh/<your SSH key>-cert.pub
+```
+
+# Dev side
+
+Prerequisite:
+* Python >=3.7
+ * hvac
+* Vault
\ No newline at end of file
diff --git a/vault-cert-openssh.py b/vault-cert-openssh.py
index cdc95b9..e6d5862 100644
--- a/vault-cert-openssh.py
+++ b/vault-cert-openssh.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 #
 # OpenSSH certificate sign with Hashicorp Vault
+# https://github.com/yverry/vault-cert-openssh
 #
 # References:
 # - https://tools.ietf.org/html/rfc4251.html#section-5
@@ -89,26 +90,6 @@ rsaFormat = [
   (decodeString, "signature"),
 ]
 
-dsaFormat = [
-  (decodeString, ),
-  (decodeString, "nonce"),
-  (decodeMpint,  "p"),
-  (decodeMpint,  "q"),
-  (decodeMpint,  "g"),
-  (decodeMpint,  "y"),
-  (decodeUint64, "serial"),
-  (decodeUint32, "type"),
-  (decodeString, "key id"),
-  (decodeString, "valid principals"),
-  (decodeUint64, "valid after"),
-  (decodeUint64, "valid before"),
-  (decodeString, "critical options"),
-  (decodeString, "extensions"),
-  (decodeString, "reserved"),
-  (decodeString, "signature key"),
-  (decodeString, "signature"),
-]
-
 ecdsaFormat = [
   (decodeString, "nonce"),
   (decodeString, "curve"),
@@ -144,7 +125,6 @@ ed25519Format = [
 
 formats = {
   "ssh-rsa-cert-v01@openssh.com":        rsaFormat,
-  "ssh-dss-cert-v01@openssh.com":        dsaFormat,
   "ecdsa-sha2-nistp256-v01@openssh.com": ecdsaFormat,
   "ecdsa-sha2-nistp384-v01@openssh.com": ecdsaFormat,
   "ecdsa-sha2-nistp521-v01@openssh.com": ecdsaFormat,