SSH cert extensions and authz key options

Michael Ströder michael at stroeder.com
Wed Jan 24 20:51:03 AEDT 2018


Damien,

your advice is appreciated.

Damien Miller wrote:
> On Fri, 12 Jan 2018, Michael Ströder wrote:
>> I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and
>> description for CLI arg -O in ssh-keygen(1).
>>
>> It seems to me that there could be a 1:1 mapping between SSH cert
>> extensions and authz key options by just adding prefix "permit-" to the
>> key option.
> 
> No, they are separate namespaces that happen to share similar options.

Hmm...

>> But the man pages differ regarding case of "permit-x11-forwarding" and
>> "X11-forwarding". [1] also says "permit-X11-forwarding". So it might
>> only be typo in ssh-keygen(1).
> 
> "permit-x11-forwarding" may appear in a certificate extension.
> 
> "x11-forwarding" may appear in authorized_keys, but doesn't make any
> sense unless preceeded by a "restrict" keyword.

Maybe I was not clear enough what I want to achieve.

I'd like to have a limited set of permissions (not exclusions!) in my
user management database and _transform_ this set of permission to
certificate extensions and authorized_keys options.

>> Is there a guaranteed 1:1 mapping between SSH cert extensions and authz
>> key options?
> 
> No. E.g. there is no "restrict" option for certs because permissions
> are explicit in certificates and (mostly) implicit in the older
> authorized_keys format.

Of course I'd prefix with "restrict" keyword and have only permissions
added to authorized_keys options to achieve having only explicit
permissions also therein.

> If I were writing the authorized_keys file format today then I'd make it
> explicit like the cert options/extensions are now...

I have to look for my time machine...?
Better not. ;-)

>> Are SSH cert extensions and authz key options treated case-insensitive?
>> [1] does not say anything about this.
> 
> Cert extensions are case sensitive
> 
> authorized_keys options aren't.

Sorry for nitpicking some more:

Man page ssh-keygen(1) -O says lower-case "permit-x11-forwarding" [1]
but certificate format spec [2] says mixed-case "permit-X11-forwarding".
So the former is the command-line option and the latter goes literally
into the cert? Sorry, this is a bit confusing.

Also [2] says that options and extensions have to be "lexically
ordered". What does that mean exactly regarding the case?

E.g. in Python it makes a difference sorting case-sensitive or
case-insensitive because capital letters are considered lower. Same in
OpenSSH code?

$ python3
Python 3.6.4 (default, Jan 03 2018, 13:52:55) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> sorted(['permit-port-forwarding','permit-X11-forwarding','permit-pty'])
['permit-X11-forwarding', 'permit-port-forwarding', 'permit-pty']
>>>
sorted(['permit-port-forwarding','permit-X11-forwarding','permit-pty'],
key=str.lower)
['permit-port-forwarding', 'permit-pty', 'permit-X11-forwarding']

Ciao, Michael.

[1] https://man.openbsd.org/ssh-keygen.1#permit-x11-forwarding

[2]
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180124/18075860/attachment.p7s>


More information about the openssh-unix-dev mailing list