On 25.01.2022 11:32, Brian Candler wrote:
On 25/01/2022 08:54, Fabian Stelzer wrote:
ssh-keygen -Y find-principals will fail to return any matches if a
certificate signature is used and the allowed principals file contains a
wildcard principal (e.g.: *@example.com).
Do you mean the "allowed signers" file, rather than the "allowed
principals" file?
You are right. I meant the allowed signers file.
I'm not aware of any wildcard matching in AuthorizedPrincipalsFile, so
that confused me a bit: in other words, I thought "*@example.com"
would only match literally the principal "*@example.com". If that's
not true, I'd like to know more.
The docs do not mention wildcards for the AuthorizedPrincipalsFile and in
the code it looks like it only does explcit matching at what I could see at
a glance.
The patch concerns ssh-keygen signing operations. The use-case here would be
to consider signatures valid when signed with the specified CA key and
matching a principal.
e.g. when the following is present in the allowed signers file:
*@example.com cert-authority ssh-rsa XXX
calling `ssh-keygen -Y verify -I user@xxxxxxxxxxx ...` will succeed when the
signature was done with a cert signed by the specified CAs public key.
However find-principals will not match anything without this patch. With
this patch it will return "user@xxxxxxxxxxx" from the cert which can then be
used to do the verify call.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
