[PATCH 0/4] sshsig: find-principal fix & match-principals

Fabian Stelzer fs at gigacodes.de
Fri Oct 22 00:54:23 AEDT 2021

This patch series adds a few tests to the find-principals & verify
operations of ssh-keygen and fixes a bug in find-principals.
find-principals was checking key validity times for CA signed certs
but not for normal keys or a validity specified on the CA key.
The verify operation correctly does both. As find-principals just returns
the first match, this could return principals with an expired/notyetvalid key.
This patch changes this behaviour and could therefore be considered a
breaking change.
At the moment the docs are not quite clear about this. find-principals
is specified to return a list of principals. It wasn't clear to me that
this meant only those found on a single line. I assumed i would get all
that match the signatures public key. If my understanding is correct
that find-principals should always just return one match (sometimes
having multiple principals) then i can update the manpage as well.

It also adds a new -Y match-principals that can be used to determine if
a principal is present in the allowed signers file (considering wildcard
matches). I am implementing "Trust on first use" for git commit signing
via ssh keys  and needed a safe way to check that i will not add a principal
already present (and thereby possibly overriding their key if it expires
for example). Generally i only would like to add principals not already
matching any existing entry.

Fabian Stelzer (4):
  sshsig: add tests for signing key validity and find-principals
  sshsig: fix find-principals key lifespan validation
  ssh-keygen: make verify-time argument parsing optional
  ssh-keygen: add match-principals call

 regress/sshsig.sh | 151 ++++++++++++++++++++++++++++++++++++++++++++++
 ssh-keygen.1      |  14 +++++
 ssh-keygen.c      |  43 ++++++++++++-
 sshsig.c          |  95 +++++++++++++++++++++++------
 sshsig.h          |   4 ++
 5 files changed, 284 insertions(+), 23 deletions(-)


More information about the openssh-unix-dev mailing list