Re: Using principal wildcards in gpg.ssh.allowedSignersFile

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 17.12.2021 10:42, Fabian Stelzer wrote:
On 17.12.2021 00:20, Matthias Maier wrote:
Dear all,

I am experimenting with git version 2.34.1 (and OpenSSH 8.8_p1) a bit
trying to set up a repository with SSH signatures for commits instead of
pgp. I have also tested the current "git next" branch.

The straight-forward setup (by having an "allowed_signers" file
naming individual e-mails and pubkeys) works as anticipated.

However, when trying to combine this with an SSH certificate authority
(which would be the use case I have in mind) I am not able to use an
e-mail wildcard in the "allowed_signers" file but have to specify full
e-mails instead. This, unfortunately, defeats a bit the purpose of
having an SSH certificate authority in the first place...


Thanks for your report. I tested the described behaviour and I think this is a bug in openssh. find-principals will never match on a CA cert with wildcard principals whereas wildcards for non-CA keys work just fine. I've emailed the openssh maintainer about it and will prepare a patch.

Just for reference to the git list:
This issue was fixed with https://github.com/openssh/openssh-portable/commit/15b7199a1fd37eff4c695e09d573f3db9f4274b7
which should be in the next openssh release.

Steps to reproduce:

====================
Set up a minimal CA:
====================

$ mkdir /tmp/signing-test
$ cd /tmp/signing-test


A)  Set up two test pubkeys:

$ ssh-keygen -t ed25519 -C "ca key" -f id_ca
[...]
$ ssh-keygen -t ed25519 -C "user key" -f id_user
[...]


B)  Sign user key creating an SSH certificate:
[...]

C)  Create allowed signers file:

$ (printf '*@43-1.org cert-authority,namespaces="file,git" '; cat id_ca.pub) > allowed_signers

! Important: I used a wild card "*@43-1.org" for the principal!


D) Test setup:

$ echo this is some random text > test.txt
$ ssh-keygen -Y sign -f id_user-cert.pub -n file test.txt
Signing file test.txt
Write signature to test.txt.sig

$ ssh-keygen -Y find-principals -f allowed_signers -n file -s test.txt.sig
tamiko@xxxxxxxx

Are you sure the allowed_signers file was exactly what you generated before for this command? If I follow your steps this will not produce a principal for me with neither openssh-8.8.1, nor master. Can you run this with `-vvv` which will show a bit more ssh internal output? In the openssh code for find-principals wildcard principals are filtered for CA certs. I'm not sure why and have asked them about it.

By the way, find-principals will not consider the namespace parameter.
This has another bug in the current master producing a segfault for which I've already sent a patch. But this should be unrelated to your issue.


$ ssh-keygen -Y verify -f allowed_signers -I "tamiko@xxxxxxxx" -n file -s test.txt.sig < test.txt
Good "file" signature for tamiko@xxxxxxxx with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ


=======================
Set up a git repository
=======================

E) Set up an empty repository somewhere

$ cd /tmp
$ git init signing-test-repo
$ cd signing-test-repo

and modify .git/config to look like this:

      [core]
              repositoryformatversion = 0
              filemode = true
              bare = false
              logallrefupdates = true
      [commit]
              gpgsign = true
      [user]
              signingkey = /tmp/signing-test/id_user-cert.pub
      [gpg]
              format = ssh
      [gpg "ssh"]
              allowedSignersFile = /tmp/signing-test/allowed_signers


F) make a commit

$ git commit -a --allow-empty -m "my shiny new ssh key signed commit"

$ git log --show-signature
Good "git" signature with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
/tmp/signing-test/allowed_signers:1: no valid principals found
No principal matched.
Author: Matthias Maier <tamiko@xxxxxxxx>
Date:   Mon Dec 13 23:51:03 2021 -0600

Just FYI: if you add GIT_TRACE=1 to the git commands you can see the executed ssh-keygen commands, which can help to see whats going on.



G) modify allowd_signers entry to read "tamiko@xxxxxxxx" instead of the wildcard "*@43-1.org":

$ git log --show-signature
Good "git" signature for tamiko@xxxxxxxx with ED25519-CERT key SHA256:noSSfVeVlrYi6vGgK+jRPvyBnIV4ccVA0iW4IXYdXDQ
Author: Matthias Maier <tamiko@xxxxxxxx>
Date:   Mon Dec 13 23:51:03 2021 -0600



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux