Re: SSH certificates - restricting to host groups

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 30/01/2020 13:31, Manoel Domingues Junior wrote:
I think that adding an extension to the certificate as it is done for
source-address validation can be one way.

Currently, as it is necessary to support different versions of OpenSSH, we
have developed GSH that uses AuthorizedPrincipalsCommand to validate
whether the certificate was issued to the destination in question. You can
add a script at AuthorizedPrincipalsCommand to validate an extension.

GSH:https://github.com/globocom/gsh

I wondered about that, but I couldn't see how AuthorizedPrincipalsCommand could get access to the extensions. Looking at the latest OpenBSD manpage, I see that %k token has been added (for the entire base64-encoded certificate).  That will solve the problem once other distros pick this up; Ubuntu 18.04 doesn't have %k.

Thanks also for the pointer to gsh. I see:

AuthorizedPrincipalsCommand /usr/local/bin/gsh-agent check-permission --serial-number %s --username %u --api https://gsh-api.example.com --key-id %i --key-fingerprint %f --certificate %k --certificate-type %t

I would therefore expect that if you're using an older version of SSH (without %k) that it would have to query the API to find the extensions. That would make it a critical service, much like LDAP would be.

Regards,

Brian.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux