https://bugzilla.mindrot.org/show_bug.cgi?id=3204
Bug ID: 3204
Summary: Enable user-relative revoked keys files
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: macdjord@gmail.com
The `AuthorizedKeysFile` directive supports the %h, %U, and %u tokens,
but the `RevokedKeys` directive does not. Thus it is possible to grant
individual users the ability to add authorized login keys (and indeed
this is the default with `.ssh/authorized_keys`), including authorized
certificate authorities using the `cert-authority` option, but there is
no way to grant them the ability to manage their own lists of revoked
keys.
This should be fixed by enabling support for the %h, %U, and %u tokens
for the `RevokedKeys` directive.
See also: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 , which
proposes a more powerful but more complicated solution to this issue:
allowing `authorized_keys` to specify a revocation list file for each
certificate authority key it defines.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3204
Summary: Enable user-relative revoked keys files
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: macdjord@gmail.com
The `AuthorizedKeysFile` directive supports the %h, %U, and %u tokens,
but the `RevokedKeys` directive does not. Thus it is possible to grant
individual users the ability to add authorized login keys (and indeed
this is the default with `.ssh/authorized_keys`), including authorized
certificate authorities using the `cert-authority` option, but there is
no way to grant them the ability to manage their own lists of revoked
keys.
This should be fixed by enabling support for the %h, %U, and %u tokens
for the `RevokedKeys` directive.
See also: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 , which
proposes a more powerful but more complicated solution to this issue:
allowing `authorized_keys` to specify a revocation list file for each
certificate authority key it defines.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs