anyone using certificates with an empty principals section?

[Jörn Heissler]

On Wed, Nov 26, 2025 at 16:21:05 +1100, Damien Miller wrote:
> Hi,
> 
> Is anyone on here using certificates with an empty principals section?
> If so then I'd like to hear from you.
> 
> These were originally documented as being wildcard, i.e. matching any
> principal, though this was supported only inconsistently and AFAIK
> only for host certificates and not user certificates.
> 
> IMO this behaviour is a footgun and I'd like to remove it.
> Specifically this would mean making certificates without a principals
> section never usable for anything.
> 
> To make it possible to do wildcard host certificates, I'd like to
> add the ability to do explicit wildcards using '*' characters in
> principals, e.g. "*.example.com".
> 
> This would be a breaking change if you're depending on the existing
> behaviour.
> 
> -d


Hi,

I reported a security issue against hashicorp-vault a while ago that
resulted in CVE-2024-7594:

https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251

It's quite possible that some hashivault users still generate host certs
with empty principal: it used to be the default behaviour! I didn't
verify if newer vault versions still have this default.

There is at least one situation where user certs with empty principals
are accepted: The target user configured the CA cert in their
~/.ssh/authorized_keys without specifying the "principals" parameter,
i.e. just "cert-authority ssh-ed25519 AAAAC3Nza...."

In my opinion this footgun should be removed from OpenSSH, both for host
and user certs.

Beware: if you add wildcards, this might create new issues if the
software that generates the certs can be tricked into writing a "*" into
the cert. But this should be seen as a bug in that
software/configuration and not really an OpenSSH issue.


Jörn