From 5788ac3f4ff02b3706a4690484a6cb31dca09b0b Mon Sep 17 00:00:00 2001 From: max furman Date: Thu, 7 Nov 2019 21:39:36 -0800 Subject: [PATCH] sshpop token should not allow renew/rekey of user ssh certs --- authority/provisioner/sshpop.go | 7 +++++++ authority/ssh.go | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/authority/provisioner/sshpop.go b/authority/provisioner/sshpop.go index e0c4a2f7..9891f495 100644 --- a/authority/provisioner/sshpop.go +++ b/authority/provisioner/sshpop.go @@ -204,6 +204,10 @@ func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Cert if err != nil { return nil, err } + if claims.sshCert.CertType != ssh.HostCert { + return nil, errors.New("sshpop AuthorizeSSHRenew: sshpop certificate must be a host ssh certificate") + } + return claims.sshCert, nil } @@ -215,6 +219,9 @@ func (p *SSHPOP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Cert if err != nil { return nil, nil, err } + if claims.sshCert.CertType != ssh.HostCert { + return nil, nil, errors.New("sshpop AuthorizeSSHRekey: sshpop certificate must be a host ssh certificate") + } return claims.sshCert, []SignOption{ // Validate public key &sshDefaultPublicKeyValidator{}, diff --git a/authority/ssh.go b/authority/ssh.go index 9181b7bc..338f1da1 100644 --- a/authority/ssh.go +++ b/authority/ssh.go @@ -332,7 +332,7 @@ func (a *Authority) RenewSSH(oldCert *ssh.Certificate) (*ssh.Certificate, error) } if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 { - return nil, errors.New("rewnewSSh: cannot renew certificate without validity period") + return nil, errors.New("rewnewSSH: cannot renew certificate without validity period") } dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second va := time.Now() @@ -457,7 +457,7 @@ func (a *Authority) RekeySSH(oldCert *ssh.Certificate, pub ssh.PublicKey, signOp } if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 { - return nil, errors.New("rekeySSh: cannot rekey certificate without validity period") + return nil, errors.New("rekeySSH: cannot rekey certificate without validity period") } dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second va := time.Now()