It is a bad assumption that requester and signer keys will always be different keys.
For example, I may have a hardware token, and I may be in both the AuthorizedRequester and AuthorizerdSigner groups for a certain environment. If only one signature is required, that means I can sign my own request!
The SSH CA should disallow the same key fingerprint being used to sign a request made by that fingerprint. This PR addresses that.
It is a bad assumption that requester and signer keys will always be different keys.
For example, I may have a hardware token, and I may be in both the
AuthorizedRequesterandAuthorizerdSignergroups for a certain environment. If only one signature is required, that means I can sign my own request!The SSH CA should disallow the same key fingerprint being used to sign a request made by that fingerprint. This PR addresses that.