[PATCH] allow wildcard matches for principals with CA certs and return all matches when calling find-principals
Fabian Stelzer
fs at gigacodes.de
Tue Jan 25 23:01:02 AEDT 2022
On 25.01.2022 11:32, Brian Candler wrote:
>On 25/01/2022 08:54, Fabian Stelzer wrote:
>>ssh-keygen -Y find-principals will fail to return any matches if a
>>certificate signature is used and the allowed principals file contains a
>>wildcard principal (e.g.: *@example.com).
>
>Do you mean the "allowed signers" file, rather than the "allowed
>principals" file?
You are right. I meant the allowed signers file.
>
>I'm not aware of any wildcard matching in AuthorizedPrincipalsFile, so
>that confused me a bit: in other words, I thought "*@example.com"
>would only match literally the principal "*@example.com". If that's
>not true, I'd like to know more.
>
The docs do not mention wildcards for the AuthorizedPrincipalsFile and in
the code it looks like it only does explcit matching at what I could see at
a glance.
The patch concerns ssh-keygen signing operations. The use-case here would be
to consider signatures valid when signed with the specified CA key and
matching a principal.
e.g. when the following is present in the allowed signers file:
*@example.com cert-authority ssh-rsa XXX
calling `ssh-keygen -Y verify -I user at example.com ...` will succeed when the
signature was done with a cert signed by the specified CAs public key.
However find-principals will not match anything without this patch. With
this patch it will return "user at example.com" from the cert which can then be
used to do the verify call.
More information about the openssh-unix-dev
mailing list