[PATCH 0/4] sshsig: find-principal fix & match-principals
fs at gigacodes.de
Fri Oct 22 00:54:23 AEDT 2021
This patch series adds a few tests to the find-principals & verify
operations of ssh-keygen and fixes a bug in find-principals.
find-principals was checking key validity times for CA signed certs
but not for normal keys or a validity specified on the CA key.
The verify operation correctly does both. As find-principals just returns
the first match, this could return principals with an expired/notyetvalid key.
This patch changes this behaviour and could therefore be considered a
At the moment the docs are not quite clear about this. find-principals
is specified to return a list of principals. It wasn't clear to me that
this meant only those found on a single line. I assumed i would get all
that match the signatures public key. If my understanding is correct
that find-principals should always just return one match (sometimes
having multiple principals) then i can update the manpage as well.
It also adds a new -Y match-principals that can be used to determine if
a principal is present in the allowed signers file (considering wildcard
matches). I am implementing "Trust on first use" for git commit signing
via ssh keys and needed a safe way to check that i will not add a principal
already present (and thereby possibly overriding their key if it expires
for example). Generally i only would like to add principals not already
matching any existing entry.
Fabian Stelzer (4):
sshsig: add tests for signing key validity and find-principals
sshsig: fix find-principals key lifespan validation
ssh-keygen: make verify-time argument parsing optional
ssh-keygen: add match-principals call
regress/sshsig.sh | 151 ++++++++++++++++++++++++++++++++++++++++++++++
ssh-keygen.1 | 14 +++++
ssh-keygen.c | 43 ++++++++++++-
sshsig.c | 95 +++++++++++++++++++++++------
sshsig.h | 4 ++
5 files changed, 284 insertions(+), 23 deletions(-)
More information about the openssh-unix-dev