User certificates with empty principals?
Rory Campbell-Lange
rory at campbell-lange.net
Mon Feb 22 09:05:40 AEDT 2021
On 19/02/21, Brian Candler (b.candler at pobox.com) wrote:
> I wonder if you could help clarify something for me. There is a scary
> warning in ssh-keygen(1) about certificates with empty principals:
>
> "By default, generated certificates are valid for all users or hosts"
>
> However, this appears to be contradicted by sshd_config(5), where it says:
>
> "The default [for AuthorizedPrincipalsFile] is none, i.e. not to use a
> principals file - in this case, the username of the user must appear in a
> certificate's principals list for it to be accepted."
>
> and:
>
> "Note that certificates that lack a list of principals will not be permitted
> for authentication using TrustedUserCAKeys."
>
> I've been trying to identify when a user certificate with no principals can
> be used, and the only case I can find is when the cert-authority has been
> listed in ~/.ssh/authorized_keys without a principals="..." option being
> specified. Is that the only case? Including all older versions of sshd?
>
> The reason I'm concerned is I'm looking at Vault for issuing SSH certs, and
> I've found that even if you constrain an SSH role to issue certs for a
> certain set of principals, it still lets the user issue a cert with no
> principals. I'm trying to convince myself whether or not that's safe.
>
> I have tested the scenarios I can think of with openssh 8.2p1:
>
> 1. default configuration with no AuthorizedPrincipalsFile/Command
>
> => sshd rejects with: "Certificate lacks principal list"
>
> 2. AuthorizedPrincipalsFile containing "foo"
>
> => sshd rejects with: "Certificate does not contain an authorized principal"
>
> 3. empty AuthorizedPrincipalsFile
>
> => sshd rejects with: "Certificate does not contain an authorized principal"
>
> So it seems OK, but in that case perhaps ssh-keygen(1) could be clarified.
> As well as the warning given above, it contains an example of creating a
> user certificate without any principals:
>
> $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
>
> To me it seems not very useful (or safe), if the only way you could use it
> is to allow logins with *any* certificate from this CA in
> ~/.ssh/authorized_keys.
I've tested the scenarios you have outlined above on SSH 7.9p1 (Debian)
and have the same results.
I agree that the example for ssh-keygen would ideally be improved so
that the first signing example has a principal list so that this is
considered the default.
The possibility of someone "stealing" the server's TrustedUserCAKeys key
and inserting it into a user's ~/.ssh/authorized_keys file as a
cert-authority line hadn't occurred to me. Locking down the
AuthorizedKeysFile paths seem sensible, together will a policy for
rotating TrustedUserCAKeys frequently.
Can one not configure vault to never issue certificates without a
principals list? If not perhaps Hashicorp can be persuaded to add the
option.
Rory
More information about the openssh-unix-dev
mailing list