[Bug 3204] New: Enable user-relative revoked keys files

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 29 09:33:40 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3204

            Bug ID: 3204
           Summary: Enable user-relative revoked keys files
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: macdjord at gmail.com

The `AuthorizedKeysFile` directive supports the %h, %U, and %u tokens,
but the `RevokedKeys` directive does not. Thus it is possible to grant
individual users the ability to add authorized login keys (and indeed
this is the default with `.ssh/authorized_keys`), including authorized
certificate authorities using the `cert-authority` option, but there is
no way to grant them the ability to manage their own lists of revoked
keys.

This should be fixed by enabling support for the %h, %U, and %u tokens
for the `RevokedKeys` directive.

See also: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 , which
proposes a more powerful but more complicated solution to this issue:
allowing `authorized_keys` to specify a revocation list file for each
certificate authority key it defines.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list