@@ -70,15 +70,20 @@ func processCommand() int {
7070 log .Fatal (err )
7171 }
7272
73- userOverridden := overrideUser (& vaultClient , & sshClient )
74- if userOverridden {
75- log .Info ("remote user overridden by vault role" )
76- }
77-
7873 if err := sshClient .ParseConfig (); err != nil {
7974 log .Fatal ("failed to parse ssh configuration: " , err )
8075 }
8176
77+ roleDefaulted := defaultRoleToUser (& vaultClient , & sshClient )
78+ if roleDefaulted {
79+ log .Infof ("defaulted vault role to ssh username: %s" , sshClient .User )
80+ }
81+
82+ userOverridden := overrideUser (& vaultClient , & sshClient )
83+ if userOverridden {
84+ log .Infof ("ssh username overridden by vault role: %s" , sshClient .User )
85+ }
86+
8287 // if we have already have a Control Connection, use it
8388 controlConnection := sshClient .ControlConnection ()
8489
@@ -136,14 +141,22 @@ func setupExitHandler(fn string) {
136141 }()
137142}
138143
144+ func defaultRoleToUser (vaultClient * signer.Client , sshClient * openssh.Client ) bool {
145+ // if role hasn't been set already, default to resolved SSH username
146+ if vaultClient .Options .Role == "" {
147+ vaultClient .Options .Role = sshClient .User
148+ return true
149+ }
150+ return false
151+ }
152+
139153func overrideUser (vaultClient * signer.Client , sshClient * openssh.Client ) bool {
140154 // if the role only allows a single, fixed user, use it
141- if user := vaultClient .GetAllowedUser (); user != "" {
155+ if user := vaultClient .GetAllowedUser (); user != "" && sshClient . User != user {
142156 sshClient .User = user
143157 sshClient .PrependArgs ([]string {"-l" , user })
144158 return true
145159 }
146-
147160 return false
148161}
149162
0 commit comments