Fix lint errors.

Gopkg.lock

@@ -344,15 +344,20 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:5dd7da6df07f42194cb25d162b4b89664ed7b08d7d4334f6a288393d54b095ce"
+  digest = "1:afc49fe39c8c591fc2c8ddc73adc4c69e67125dde6c58e24c91b3b0cf78602be"
   name = "golang.org/x/crypto"
   packages = [
     "cryptobyte",
     "cryptobyte/asn1",
+    "curve25519",
     "ed25519",
     "ed25519/internal/edwards25519",
+    "internal/chacha20",
+    "internal/subtle",
     "ocsp",
     "pbkdf2",
+    "poly1305",
+    "ssh",
     "ssh/terminal",
   ]
   pruneopts = "UT"
@@ -494,6 +499,7 @@
     "github.com/tsenart/deadcode",
     "github.com/urfave/cli",
     "golang.org/x/crypto/ocsp",
+    "golang.org/x/crypto/ssh",
     "golang.org/x/net/http2",
     "gopkg.in/square/go-jose.v2",
     "gopkg.in/square/go-jose.v2/jwt",

authority/provisioner/jwk_test.go

@@ -15,6 +15,7 @@ import (
 
 var (
 	defaultDisableRenewal   = false
+	defaultEnableSSHCA      = true
 	globalProvisionerClaims = Claims{
 		MinTLSDur:         &Duration{5 * time.Minute},
 		MaxTLSDur:         &Duration{24 * time.Hour},
@@ -26,6 +27,7 @@ var (
 		MinHostSSHDur:     &Duration{Duration: 5 * time.Minute}, // Host SSH certs
 		MaxHostSSHDur:     &Duration{Duration: 30 * 24 * time.Hour},
 		DefaultHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:       &defaultEnableSSHCA,
 	}
 )
 

authority/provisioner/sign_ssh_options.go

@@ -1,7 +1,6 @@
 package provisioner
 
 import (
-	"fmt"
 	"time"
 
 	"github.com/pkg/errors"
@@ -14,9 +13,6 @@ const (
 
 	// SSHHostCert is the string used to represent ssh.HostCert.
 	SSHHostCert = "host"
-
-	// sshProvisionerCommand is the provisioner command
-	sshProvisionerCommand = "sudo adduser --quiet --disabled-password --gecos '' %s 2>/dev/null ; nc -q0 localhost 22"
 )
 
 // SSHCertificateModifier is the interface used to change properties in an SSH
@@ -191,18 +187,6 @@ func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate) error {
 	}
 }
 
-type sshProvisionerExtensionModifier string
-
-func (m sshProvisionerExtensionModifier) Modify(cert *ssh.Certificate) error {
-	if cert.CertType == ssh.UserCert {
-		if cert.CriticalOptions == nil {
-			cert.CriticalOptions = make(map[string]string)
-		}
-		cert.CriticalOptions["force-command"] = fmt.Sprintf(sshProvisionerCommand, m)
-	}
-	return nil
-}
-
 // sshCertificateValidityModifier is a SSHCertificateModifier checks the
 // validity bounds, setting them if they are not provided. It will fail if a
 // CertType has not been set or is not valid.
@@ -291,20 +275,6 @@ func (v *sshCertificateDefaultValidator) Valid(crt *ssh.Certificate) error {
 	}
 }
 
-// sshCertTypeName returns the string representation of the given ssh.CertType.
-func sshCertTypeString(ct uint32) string {
-	switch ct {
-	case 0:
-		return ""
-	case ssh.UserCert:
-		return SSHUserCert
-	case ssh.HostCert:
-		return SSHHostCert
-	default:
-		return fmt.Sprintf("unknown (%d)", ct)
-	}
-}
-
 // sshCertTypeUInt32
 func sshCertTypeUInt32(ct string) uint32 {
 	switch ct {

authority/provisioner/ssh_test.go

@@ -98,6 +98,9 @@ func signSSHCertificate(key crypto.PublicKey, opts SSHOptions, signOpts []SignOp
 	default:
 		return nil, fmt.Errorf("unexpected ssh certificate type: %d", cert.CertType)
 	}
+	if err != nil {
+		return nil, err
+	}
 	cert.SignatureKey = signer.PublicKey()
 
 	// Get bytes for signing trailing the signature length.