From 53f62f871cc324a1bf4675c140f993837df43980 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 29 Jul 2019 16:36:46 -0700 Subject: [PATCH] Set not extensions to host certificates. --- authority/provisioner/jwk.go | 4 ++-- authority/provisioner/oidc.go | 4 ++-- authority/provisioner/sign_ssh_options.go | 26 +++++++++++++++-------- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 7c983b74..ff53cce8 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -179,8 +179,6 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) { signOptions := []SignOption{ // validates user's SSHOptions with the ones in the token &sshCertificateOptionsValidator{opts}, - // set the default extensions - &sshDefaultExtensionModifier{}, // set the key id to the token subject sshCertificateKeyIDModifier(claims.Subject), } @@ -200,6 +198,8 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) { } return append(signOptions, + // set the default extensions + &sshDefaultExtensionModifier{}, // checks the validity bounds, and set the validity if has not been set &sshCertificateValidityModifier{p.claimer}, // require all the fields in the SSH certificate diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index a454a84f..bc108c01 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -299,8 +299,6 @@ func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error { // authorizeSSHSign returns the list of SignOption for a SignSSH request. func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) { signOptions := []SignOption{ - // set the default extensions - &sshDefaultExtensionModifier{}, // set the key id to the token subject sshCertificateKeyIDModifier(claims.Email), } @@ -320,6 +318,8 @@ func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) { } return append(signOptions, + // set the default extensions + &sshDefaultExtensionModifier{}, // checks the validity bounds, and set the validity if has not been set &sshCertificateValidityModifier{o.claimer}, // require all the fields in the SSH certificate diff --git a/authority/provisioner/sign_ssh_options.go b/authority/provisioner/sign_ssh_options.go index 8039aabb..b5d79ffa 100644 --- a/authority/provisioner/sign_ssh_options.go +++ b/authority/provisioner/sign_ssh_options.go @@ -148,15 +148,23 @@ func (m sshCertificateValidBeforeModifier) Modify(cert *ssh.Certificate) error { type sshDefaultExtensionModifier struct{} func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate) error { - if cert.Extensions == nil { - cert.Extensions = make(map[string]string) + switch cert.CertType { + // Default to no extensions to HostCert + case ssh.HostCert: + return nil + case ssh.UserCert: + if cert.Extensions == nil { + cert.Extensions = make(map[string]string) + } + cert.Extensions["permit-X11-forwarding"] = "" + cert.Extensions["permit-agent-forwarding"] = "" + cert.Extensions["permit-port-forwarding"] = "" + cert.Extensions["permit-pty"] = "" + cert.Extensions["permit-user-rc"] = "" + return nil + default: + return errors.New("ssh certificate type has not been set or is invalid") } - cert.Extensions["permit-X11-forwarding"] = "" - cert.Extensions["permit-agent-forwarding"] = "" - cert.Extensions["permit-port-forwarding"] = "" - cert.Extensions["permit-pty"] = "" - cert.Extensions["permit-user-rc"] = "" - return nil } // sshCertificateValidityModifier is a SSHCertificateModifier checks the @@ -240,7 +248,7 @@ func (v *sshCertificateDefaultValidator) Valid(crt *ssh.Certificate) error { return errors.New("ssh certificate valid after cannot be 0") case crt.ValidBefore == 0: return errors.New("ssh certificate valid before cannot be 0") - case len(crt.Extensions) == 0: + case crt.CertType == ssh.UserCert && len(crt.Extensions) == 0: return errors.New("ssh certificate extensions cannot be empty") case crt.SignatureKey == nil: return errors.New("ssh certificate signature key cannot be nil")