would it be possible to extend TrustedUserCAKeys so that certain keys could not be used to authenticate a particular user?

Christian, Mark mark.christian at intel.com
Tue Jun 2 04:33:17 AEST 2020


Wondering if it would make sense to have more granular control of
trustedUserCAkeys?  I have 1 key used to sign root certs, the key is
shortlived, and is rotated daily.  And I have a 2nd key to sign non-
privileged user certs.  The non-privileged certs have a longer validity
period, and the signing keys are not rotated as frequently.  It would
be nice to ensure this second signing key's associated pubkey in
trustedusercakeys is never consulted when a root certificate is
presented, perhaps via some form of blacklisting within the
trustedusercakeys file?  This would provide some assurance that the
theft of the second key could not be used to sign root certificates and
be accepted for the systems I manage.

Mark Christian


More information about the openssh-unix-dev mailing list