SSH certificates - restricting to host groups
Brian Candler
b.candler at pobox.com
Fri Jan 31 03:23:53 AEDT 2020
On 30/01/2020 13:31, Manoel Domingues Junior wrote:
> I think that adding an extension to the certificate as it is done for
> source-address validation can be one way.
>
> Currently, as it is necessary to support different versions of OpenSSH, we
> have developed GSH that uses AuthorizedPrincipalsCommand to validate
> whether the certificate was issued to the destination in question. You can
> add a script at AuthorizedPrincipalsCommand to validate an extension.
>
> GSH:https://github.com/globocom/gsh
I wondered about that, but I couldn't see how
AuthorizedPrincipalsCommand could get access to the extensions. Looking
at the latest OpenBSD manpage, I see that %k token has been added (for
the entire base64-encoded certificate). That will solve the problem
once other distros pick this up; Ubuntu 18.04 doesn't have %k.
Thanks also for the pointer to gsh. I see:
AuthorizedPrincipalsCommand /usr/local/bin/gsh-agent check-permission
--serial-number %s --username %u --api https://gsh-api.example.com
--key-id %i --key-fingerprint %f --certificate %k --certificate-type %t
I would therefore expect that if you're using an older version of SSH
(without %k) that it would have to query the API to find the extensions.
That would make it a critical service, much like LDAP would be.
Regards,
Brian.
More information about the openssh-unix-dev
mailing list