search

cloudtools / ssh-cert-authority

An implementation of an SSH certificate authority.
BSD 2-Clause "Simplified" License
728 stars 71 forks source link

Requester can sign their own cert (when also listed as a signer) #41

Closed Arvanaghi closed 5 years ago

Arvanaghi commented 5 years ago

It looks like an AuthorizedRequester can sign their own cert if they are also an AuthorizedSigner for the same environment. It seems intuitive for me that some requesters would also be signers for the same environment, and that requesters should not be able to sign a request for their own pubkey by default.

bobveznat commented 5 years ago

You've described the current behavior correctly. Is your expectation just that as a default a key cannot be used to sign a request if the signing key is == requesting key? And make an exception for if the config only has 1 key in it?

The last time I ran this in production I actually worked around this via lots of keys. I get this isn't appropriate for everyone. But I, as an individual, had signing keys for prod, staging and dev and user/requester keys for prod, staging and dev. This seems unintuitive and kind of lame actually, however, once you realize that ssh-agent can only store one certificate per public key you may end up wanting lots of keys.

Anyway, I'm interested in hearing what behavior you'd like to see.

Arvanaghi commented 5 years ago

Thanks for the quick reply!

I think this should disallow the same key fingerprint being allowed to sign a request made by that same key fingerprint. If you’re using some form of hardware token for your SSHing, you don’t have the luxury of multiple keys per environment.

On Aug 28, 2019, at 6:51 PM, Bob Van Zant notifications@github.com wrote:

You've described the current behavior correctly. Is your expectation just that as a default a key cannot be used to sign a request if the signing key is == requesting key? And make an exception for if the config only has 1 key in it?

The last time I ran this in production I actually worked around this via lots of keys. I get this isn't appropriate for everyone. But I, as an individual, had signing keys for prod, staging and dev and user/requester keys for prod, staging and dev. This seems unintuitive and kind of lame actually, however, once you realize that ssh-agent can only store one certificate per public key you may end up wanting lots of keys.

Anyway, I'm interested in hearing what behavior you'd like to see.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

Arvanaghi commented 5 years ago

Do you anticipate making a fix for this? Wondering if I should try and block off some time.

Arvanaghi commented 5 years ago

Here you go! https://github.com/cloudtools/ssh-cert-authority/pull/42

bobveznat commented 5 years ago

Fixed with pr #42 . I updated the README and pushed the version to 2.0.0 since this may break backwards compatibility for folks. Thank you!