On 30/01/2020 13:31, Manoel Domingues Junior wrote:
I think that adding an extension to the certificate as it is done for
source-address validation can be one way.
Currently, as it is necessary to support different versions of OpenSSH, we
have developed GSH that uses AuthorizedPrincipalsCommand to validate
whether the certificate was issued to the destination in question. You can
add a script at AuthorizedPrincipalsCommand to validate an extension.
GSH:https://github.com/globocom/gsh
I wondered about that, but I couldn't see how
AuthorizedPrincipalsCommand could get access to the extensions. Looking
at the latest OpenBSD manpage, I see that %k token has been added (for
the entire base64-encoded certificate). That will solve the problem
once other distros pick this up; Ubuntu 18.04 doesn't have %k.
Thanks also for the pointer to gsh. I see:
AuthorizedPrincipalsCommand /usr/local/bin/gsh-agent check-permission
--serial-number %s --username %u --api https://gsh-api.example.com
--key-id %i --key-fingerprint %f --certificate %k --certificate-type %t
I would therefore expect that if you're using an older version of SSH
(without %k) that it would have to query the API to find the extensions.
That would make it a critical service, much like LDAP would be.
Regards,
Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
