Certificate spec anomaly?
Brian Candler
b.candler at pobox.com
Tue Sep 20 08:08:17 AEST 2022
On 19/09/2022 22:45, Damien Miller wrote:
>> AFAICT, this allows anyone with*any* user certificate signed by the CA
>> to authenticate, with or without principals. That's clearly less than
>> ideal, but at least it was configured explicitly on this account, and
>> the attack surface is limited to that one particular account.
> Right, that's the use-case.
OK, but I don't see how to configure "accept a certificate with no
principals", versus "accept a certificate with *any* set of principals"
More information about the openssh-unix-dev
mailing list