Re: OpenSSH certified keys

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: OpenSSH certified keys
From: Damien Miller <djm%mindrot.org@localhost>
Date: Wed, 17 Mar 2010 06:54:00 +1100 (EST)

On Tue, 16 Mar 2010, Nicolas Williams wrote:

> On Wed, Mar 17, 2010 at 04:19:28AM +1100, Damien Miller wrote:
> > "valid principals" is a string containing zero or more principals as
> > strings packed inside it. These principals list the names for which this
> > certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
> > usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
> > zero-length "valid principals" field means the certificate is valid for
> > any principal of the specified type. XXX DNS wildcards?
> 
> Er, can usernames contain @domain qualifiers?  How should usernames
> without an @domain qualifier be handled by servers?

Presently, usernames are interpreted locally. I'd like to support domain-
scoped usernames but deliberate left it out of the initial implementation
until I had a chance to gather and think about the requirements some more.
I had a couple of ideas on how to make it useful:

1) Support another type "SSH_CERT_TYPE_USER_HOST" that includes the
   qualifiers

2) Encode domain qualifiers as a certificate constraint

3) Encourage a mapping between principal names encoded in the cert and
   local usernames to be implemented in the SSH server.

I'm leaning towards #3 - having (in OpenSSH-parlance) an
"authorized_principals" file that specifies which principals are permitted
for an account.

-d

References:
- OpenSSH certified keys
  - From: Damien Miller
- Re: OpenSSH certified keys
  - From: Nicolas Williams

Prev by Date: Re: OpenSSH certified keys
Next by Date: Re: OpenSSH certified keys
Previous by Thread: Re: OpenSSH certified keys
Next by Thread: Re: OpenSSH certified keys
Indexes:

Home | Main Index | Thread Index | Old Index