User certificates with empty principals?
Brian Candler
b.candler at pobox.com
Mon Feb 22 20:33:59 AEDT 2021
On 21/02/2021 22:05, Rory Campbell-Lange wrote:
> Can one not configure vault to never issue certificates without a
> principals list? If not perhaps Hashicorp can be persuaded to add the
> option.
Not as far as I can see, and I don't want to raise a feature request
without a valid use case.
*Host* certificates may be the driver. ssh-keygen suggests that a host
certificate with no principals can masquerade as any host (but I haven't
tested it yet).
More information about the openssh-unix-dev
mailing list