Match PubkeyType (sshd_config feature request)

Darren Tucker dtucker at dtucker.net
Sat Apr 2 14:01:55 AEDT 2022


On Sat, 2 Apr 2022 at 09:02, Al <allogenes at posteo.net> wrote:
> I've got another feature request :) I would like to be able to add something which looks like this to sshd_config:
> Match PubkeyType ssh-ed25519-cert-v01 at openssh.com, Address 123.123.0.0/16
> AllowGroups ssh-cert-users
> Match PubkeyType sk-ssh-ed25519 at openssh.com, Address 234.234.0.0/16
> AllowGroups ssh-yubikey-users

There isn't really a mechanism in Match to implement this.  The way
Match works is that it updates the effective config at two points in
time: once as soon as the connection is received (ie the source
address is known) and once when the client sends the username.

Public-key authentication attempts do not happen until later in the
protocol.   For a given connection there may be zero or more pubkey
attempts of varying types (potentially requiring multiple of them,
although OpenSSH does not currently implement this).

[...]
> But then (iiuc) they still won't be able to log in unless you give the match an AllowGroup:
> Match Group ssh-cert-users
> AllowGroup ssh-cert-users
> PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com

This should work.

> Which seems circular ... allow the group if they're in the group, what?

AllowGroups (and AllowUsers) are much simpler mechanisms compared to
Match and predate it by a decade or more.  Interactions like the one
above are ... awkward, although some other interactions read more
sensibly, eg:

Match Address 10.0.0.0/8
    AllowGroups internal-users

With a small addition of a boolean "AllowLogin yes/no" Match could be
a functional superset of AllowUsers/AllowGroups:

AllowLogin no
Match Address 10.0.0.0/8 Group somegroup
    AllowLogin yes

but since it wouldn't allow you to do anything you can't already do
with AllowUsers/AllowGroups it hasn't made it to the top of a to-do
list.

> And there are other possible complications, like what if they are in both ssh-cert-users and ssh-private, and they use different keys for different purposes? "Match Group" doesn't seem to provide the required flexibility.

Match operates on a first-match basis so you could put the least
restrictive group first, or you could have a Match line with two Group
predicates followed by lines specifying the union of the allowed
behaviours, followed by two single Match Group's with their respective
individual behaviours.

> There could be other uses too, like before transitioning to a pure cert/sk setup, you can Match deprecated key types to provide those users with a Banner warning. "We will be disabling ssh-rsa and ssh-ed25519 on 2022-06-30. Please remember to switch to sk keys before then."

That could be done now with ExposeAuthInfo and a couple of lines in
the shell startup script.

> So after circling around the problem for a while, I keep coming back to the same idea: it would be cool to be able to match the incoming key type, as I see a few interesting uses for this.
>
> Do you think it would be doable?

Probably not.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list