Certificate spec anomaly?

Brian Candler b.candler at pobox.com
Tue Sep 20 04:57:52 AEST 2022


I have had the following potential inconsistency pointed out to me, and 
I thought I'd raise it here.

On the one hand, OpenSSH by default doesn't allow authentication using a 
certificate with no principals[^1]. From sshd_config(5):

 > Note that certificates that lack a list of principals will not be 
permitted for authentication using TrustedUserCAKeys.

On the other hand, the spec at 
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.19&content-type=text/x-cvsweb-markup 
says:

 > As a special case, a zero-length "valid principals" field means the 
certificate is valid for any principal of the specified type.

I think the behaviour of sshd is sane and sensible. A 
"super-certificate" which can impersonate any user (or any host[^2]) 
seems like a dangerous thing to me; especially since it's what you get 
by default if you omit the -n option to ssh-keygen -I.  There are other 
SSH CAs which may generate this sort of certificate if you don't request 
any principal (e.g. Hashicorp Vault).  Rejecting it seems the safer option.

I wonder if the protocol documentation is out of step, or if I've missed 
a subtlety?

What started this discussion[^3] was that in Go's implementation of ssh, 
validating a certificate skips the principal check if the certificate 
contains no principals - apparently in accordance with the spec.

https://cs.opensource.google/go/x/crypto/+/c86fa9a7:ssh/certs.go;l=401-413

Regards,

Brian.

[^1] Although I haven't tested it for a while, I was able to accept a 
principal-less certificate, by adding an entry to ~/.ssh/authorized_keys 
which specifies cert-authority without any principals="..." option.

AFAICT, this allows anyone with *any* user certificate signed by the CA 
to authenticate, with or without principals. That's clearly less than 
ideal, but at least it was configured explicitly on this account, and 
the attack surface is limited to that one particular account.

[^2] I haven't tested whether a host certificate without any principals 
is accepted by the ssh client.

[^3] https://github.com/uber/pam-ussh/issues/15#issuecomment-1250245686



More information about the openssh-unix-dev mailing list