sshpop token should not allow renew/rekey of user ssh certs

This commit is contained in:
max furman 2019-11-07 21:39:36 -08:00
parent 54e3cf7322
commit 5788ac3f4f
2 changed files with 9 additions and 2 deletions

View file

@ -204,6 +204,10 @@ func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Cert
if err != nil { if err != nil {
return nil, err return nil, err
} }
if claims.sshCert.CertType != ssh.HostCert {
return nil, errors.New("sshpop AuthorizeSSHRenew: sshpop certificate must be a host ssh certificate")
}
return claims.sshCert, nil return claims.sshCert, nil
} }
@ -215,6 +219,9 @@ func (p *SSHPOP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Cert
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
if claims.sshCert.CertType != ssh.HostCert {
return nil, nil, errors.New("sshpop AuthorizeSSHRekey: sshpop certificate must be a host ssh certificate")
}
return claims.sshCert, []SignOption{ return claims.sshCert, []SignOption{
// Validate public key // Validate public key
&sshDefaultPublicKeyValidator{}, &sshDefaultPublicKeyValidator{},

View file

@ -332,7 +332,7 @@ func (a *Authority) RenewSSH(oldCert *ssh.Certificate) (*ssh.Certificate, error)
} }
if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 { if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 {
return nil, errors.New("rewnewSSh: cannot renew certificate without validity period") return nil, errors.New("rewnewSSH: cannot renew certificate without validity period")
} }
dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
va := time.Now() va := time.Now()
@ -457,7 +457,7 @@ func (a *Authority) RekeySSH(oldCert *ssh.Certificate, pub ssh.PublicKey, signOp
} }
if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 { if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 {
return nil, errors.New("rekeySSh: cannot rekey certificate without validity period") return nil, errors.New("rekeySSH: cannot rekey certificate without validity period")
} }
dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
va := time.Now() va := time.Now()