[Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Dec 22 20:07:28 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2328

            Bug ID: 2328
           Summary: Per-user certificate revocation list (CRL) in
                    authorized_keys
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot.org at pobox.madduck.net

I can tag a punkey `cert-authority` in authorized_keys, allowing every
user to administer their own CA for SSH logins. This is very cool,
thanks for that feature.

Unfortunately, this only makes sense if each user also manages a
corresponding CRL. However, this seems only possible in `sshd_config`,
meaning users cannot control it themselves trivially, and there's also
a namespacing issue / the possibility of users interfering with each
other. Finally, I might want to revoke access for a key from one
account but not another.

Hence, it would be cool if I could specify in `authorized_keys`
something akin to:

  cert-authority,crl-file="revoked-certs",command="…" ssh-rsa …

and have `sshd` consult the CRL in `~/.ssh/revoked-certs` (or an
absolute path) when deciding whether to authenticate/authorize a login.

Thanks,
-m

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list