[PATCH v2 0/3] sshsig: find-principal fix & match-principals
Fabian Stelzer
fs at gigacodes.de
Wed Nov 3 19:51:09 AEDT 2021
This patch series adds a few tests to the find-principals & verify
operations of ssh-keygen and fixes a bug in find-principals.
find-principals was checking key validity times for CA signed certs
but not for normal keys or a validity specified on the CA key.
The verify operation correctly does both. As find-principals just returns
the first match, this could return principals with an expired/notyetvalid key.
This patch changes this behaviour and could therefore be considered a
breaking change.
At the moment the docs are not quite clear about this. find-principals
is specified to return a list of principals. It wasn't clear to me that
this meant only those found on a single line. I assumed i would get all
that match the signatures public key. If my understanding is correct
that find-principals should always just return one match (sometimes
having multiple principals) then i can update the manpage as well.
It also adds a new -Y match-principals that can be used to determine if
a principal is present in the allowed signers file (considering wildcard
matches). I am implementing "Trust on first use" for git commit signing
via ssh keys and needed a safe way to check that i will not add a principal
already present (and thereby possibly overriding their key if it expires
for example). Generally i only would like to add principals not already
matching any existing entry.
Changes since v1:
- instead of fixing just the find-principals check consolidate find &
verify functions into one so we always use the same logic for both
- drops the already merged tests & optional verify_time parsing patches
Fabian Stelzer (3):
sshsig: move cert_filter_principals() for reuse
sshsig: fix find-principals key lifespan validation
ssh-keygen: add match-principals call
regress/sshsig.sh | 129 ++++++++++++++++++++++++
ssh-keygen.1 | 14 +++
ssh-keygen.c | 35 +++++++
sshsig.c | 246 ++++++++++++++++++++++++----------------------
sshsig.h | 4 +
5 files changed, 310 insertions(+), 118 deletions(-)
base-commit: 0328a081f38c09d2d4d650e94461a47fb5eef536
--
2.31.1
More information about the openssh-unix-dev
mailing list