[PATCH] allow wildcard matches for principals with CA certs and return all matches when calling find-principals

Fabian Stelzer fs at gigacodes.de
Tue Jan 25 23:01:02 AEDT 2022


On 25.01.2022 11:32, Brian Candler wrote:
>On 25/01/2022 08:54, Fabian Stelzer wrote:
>>ssh-keygen -Y find-principals will fail to return any matches if a
>>certificate signature is used and the allowed principals file contains a
>>wildcard principal (e.g.: *@example.com).
>
>Do you mean the "allowed signers" file, rather than the "allowed 
>principals" file?

You are right. I meant the allowed signers file.

>
>I'm not aware of any wildcard matching in AuthorizedPrincipalsFile, so 
>that confused me a bit: in other words, I thought "*@example.com" 
>would only match literally the principal "*@example.com".  If that's 
>not true, I'd like to know more.
>

The docs do not mention wildcards for the AuthorizedPrincipalsFile and in 
the code it looks like it only does explcit matching at what I could see at 
a glance.

The patch concerns ssh-keygen signing operations. The use-case here would be 
to consider signatures valid when signed with the specified CA key and 
matching a principal.
e.g. when the following is present in the allowed signers file:
*@example.com cert-authority ssh-rsa XXX

calling `ssh-keygen -Y verify -I user at example.com ...` will succeed when the 
signature was done with a cert signed by the specified CAs public key.

However find-principals will not match anything without this patch. With 
this patch it will return "user at example.com" from the cert which can then be 
used to do the verify call.



More information about the openssh-unix-dev mailing list