User certificates with empty principals?

Brian Candler b.candler at pobox.com
Sat Feb 20 02:25:42 AEDT 2021


I wonder if you could help clarify something for me.  There is a scary 
warning in ssh-keygen(1) about certificates with empty principals:

"By default, generated certificates are valid for all users or hosts"

However, this appears to be contradicted by sshd_config(5), where it says:

"The default [for AuthorizedPrincipalsFile] is none, i.e. not to use a 
principals file - in this case, the username of the user must appear in 
a certificate's principals list for it to be accepted."

and:

"Note that certificates that lack a list of principals will not be 
permitted for authentication using TrustedUserCAKeys."

I've been trying to identify when a user certificate with no principals 
can be used, and the only case I can find is when the cert-authority has 
been listed in ~/.ssh/authorized_keys without a principals="..." option 
being specified.  Is that the only case? Including all older versions of 
sshd?

The reason I'm concerned is I'm looking at Vault for issuing SSH certs, 
and I've found that even if you constrain an SSH role to issue certs for 
a certain set of principals, it still lets the user issue a cert with no 
principals.  I'm trying to convince myself whether or not that's safe.

I have tested the scenarios I can think of with openssh 8.2p1:

1. default configuration with no AuthorizedPrincipalsFile/Command

=> sshd rejects with: "Certificate lacks principal list"

2. AuthorizedPrincipalsFile containing "foo"

=> sshd rejects with: "Certificate does not contain an authorized principal"

3. empty AuthorizedPrincipalsFile

=> sshd rejects with: "Certificate does not contain an authorized principal"

So it seems OK, but in that case perhaps ssh-keygen(1) could be 
clarified.  As well as the warning given above, it contains an example 
of creating a user certificate without any principals:

            $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub

To me it seems not very useful (or safe), if the only way you could use 
it is to allow logins with *any* certificate from this CA in 
~/.ssh/authorized_keys.

Thanks,

Brian.



More information about the openssh-unix-dev mailing list