SSH cert extensions and authz key options
Damien Miller
djm at mindrot.org
Wed Jan 24 15:07:40 AEDT 2018
On Fri, 12 Jan 2018, Michael Ströder wrote:
> HI!
>
> I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and
> description for CLI arg -O in ssh-keygen(1).
>
> It seems to me that there could be a 1:1 mapping between SSH cert
> extensions and authz key options by just adding prefix "permit-" to the
> key option.
No, they are separate namespaces that happen to share similar options.
> But the man pages differ regarding case of "permit-x11-forwarding" and
> "X11-forwarding". [1] also says "permit-X11-forwarding". So it might
> only be typo in ssh-keygen(1).
"permit-x11-forwarding" may appear in a certificate extension.
"x11-forwarding" may appear in authorized_keys, but doesn't make any
sense unless preceeded by a "restrict" keyword.
> Questions:
>
> Is there a guaranteed 1:1 mapping between SSH cert extensions and authz
> key options?
No. E.g. there is no "restrict" option for certs because permissions
are explicit in certificates and (mostly) implicit in the older
authorized_keys format.
If I were writing the authorized_keys file format today then I'd make it
explicit like the cert options/extensions are now...
> Are SSH cert extensions and authz key options treated case-insensitive?
> [1] does not say anything about this.
Cert extensions are case sensitive
authorized_keys options aren't.
-d
More information about the openssh-unix-dev
mailing list