anyone using certificates with an empty principals section?
Damien Miller
djm at mindrot.org
Wed Nov 26 16:21:05 AEDT 2025
Hi,
Is anyone on here using certificates with an empty principals section?
If so then I'd like to hear from you.
These were originally documented as being wildcard, i.e. matching any
principal, though this was supported only inconsistently and AFAIK
only for host certificates and not user certificates.
IMO this behaviour is a footgun and I'd like to remove it.
Specifically this would mean making certificates without a principals
section never usable for anything.
To make it possible to do wildcard host certificates, I'd like to
add the ability to do explicit wildcards using '*' characters in
principals, e.g. "*.example.com".
This would be a breaking change if you're depending on the existing
behaviour.
-d
More information about the openssh-unix-dev
mailing list