-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SSH CAs #1098
Add support for SSH CAs #1098
Conversation
In #1076, it was requested that this support a concept of "groups" as SSH certificate principals. In other words, when creating a certificate, you would specify groups (e.g. This could get a little awkward though - the current implementation requires that the username you connect with match a principal in the certificate. Ultimately however, the debug SSH server has no concept of permissions, so this username is only used for logging purposes. We could remove the username restriction and update the log line to record both the "key ID" and all principals, in the case of an SSH cert. |
This adds support for configuring SSH CAs. The SSH server will accept authentication for any valid certificate signed by an SSH CA, assuming that the user they connect with matches a principal in the certificate - if no principals are defined in the cert, then any username can be used.
This is a step towards #1076, but does not implement group access control.
While working on this PR I noticed that removing authorized keys from the SSH configuration does not take effect upon reload.
wireSSHReload
callsconfigSSH
with the existing server, andSSHServer.ClearAuthorizedKeys
is not called anywhere in the codebase.For this reason, I opted for the same behavior with CAs. I can fix this if it's a bug.