[Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Dec 22 20:07:28 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2328
Bug ID: 2328
Summary: Per-user certificate revocation list (CRL) in
authorized_keys
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: bugzilla.mindrot.org at pobox.madduck.net
I can tag a punkey `cert-authority` in authorized_keys, allowing every
user to administer their own CA for SSH logins. This is very cool,
thanks for that feature.
Unfortunately, this only makes sense if each user also manages a
corresponding CRL. However, this seems only possible in `sshd_config`,
meaning users cannot control it themselves trivially, and there's also
a namespacing issue / the possibility of users interfering with each
other. Finally, I might want to revoke access for a key from one
account but not another.
Hence, it would be cool if I could specify in `authorized_keys`
something akin to:
cert-authority,crl-file="revoked-certs",command="…" ssh-rsa …
and have `sshd` consult the CRL in `~/.ssh/revoked-certs` (or an
absolute path) when deciding whether to authenticate/authorize a login.
Thanks,
-m
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list