Re: SSH cert extensions and authz key options

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 12 Jan 2018, Michael Ströder wrote:

> HI!
> 
> I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and
> description for CLI arg -O in ssh-keygen(1).
> 
> It seems to me that there could be a 1:1 mapping between SSH cert
> extensions and authz key options by just adding prefix "permit-" to the
> key option.

No, they are separate namespaces that happen to share similar options.

> But the man pages differ regarding case of "permit-x11-forwarding" and
> "X11-forwarding". [1] also says "permit-X11-forwarding". So it might
> only be typo in ssh-keygen(1).

"permit-x11-forwarding" may appear in a certificate extension.

"x11-forwarding" may appear in authorized_keys, but doesn't make any
sense unless preceeded by a "restrict" keyword.

> Questions:
> 
> Is there a guaranteed 1:1 mapping between SSH cert extensions and authz
> key options?

No. E.g. there is no "restrict" option for certs because permissions
are explicit in certificates and (mostly) implicit in the older
authorized_keys format.

If I were writing the authorized_keys file format today then I'd make it
explicit like the cert options/extensions are now...

> Are SSH cert extensions and authz key options treated case-insensitive?
> [1] does not say anything about this.

Cert extensions are case sensitive

authorized_keys options aren't.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux