Hi Fabian,
Thanks for doing the bug report to openssh!
On Fri, Dec 17, 2021, at 03:42 CST, Fabian Stelzer <fs@xxxxxxxxxxxx> wrote:
> [...]
>> $ ssh-keygen -Y find-principals -f allowed_signers -n file -s test.txt.sig
>> tamiko@xxxxxxxx
>
> Are you sure the allowed_signers file was exactly what you generated
> before for this command? If I follow your steps this will not produce
> a principal for me with neither openssh-8.8.1, nor master. Can you run
> this with `-vvv` which will show a bit more ssh internal output?
> In the openssh code for find-principals wildcard principals are
> filtered for CA certs. I'm not sure why and have asked them about it.
>
> By the way, find-principals will not consider the namespace parameter.
> This has another bug in the current master producing a segfault for
> which I've already sent a patch. But this should be unrelated to your
> issue.
You're absolutely right - I did confuse myself. The find-principals call
does not work:
% ssh-keygen -vvv -Y find-principals -f allowed_signers -n file -s test.txt.sig
debug3: allowed_signers:1: options cert-authority,namespaces="file,git"
debug1: allowed_signers:1: principal "*@43-1.org" not authorized: contains wildcards
allowed_signers:1: no valid principals found
debug1: allowed_signers:1: cert_filter_principals: invalid certificate
No principal matched.
I agree. It is interesting that they explicitly filter wildcards for the
find-principals call. Let's see what openssh upstream has to say.
> [...]
>
> Just FYI: if you add GIT_TRACE=1 to the git commands you can see the
> executed ssh-keygen commands, which can help to see whats going on.
Ah, that's neat!
Best,
Matthias
