sshpop token should not allow renew/rekey of user ssh certs

authority/provisioner/sshpop.go

@@ -204,6 +204,10 @@ func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Cert
 	if err != nil {
 		return nil, err
 	}
+	if claims.sshCert.CertType != ssh.HostCert {
+		return nil, errors.New("sshpop AuthorizeSSHRenew: sshpop certificate must be a host ssh certificate")
+	}
+
 	return claims.sshCert, nil
 
 }
@@ -215,6 +219,9 @@ func (p *SSHPOP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Cert
 	if err != nil {
 		return nil, nil, err
 	}
+	if claims.sshCert.CertType != ssh.HostCert {
+		return nil, nil, errors.New("sshpop AuthorizeSSHRekey: sshpop certificate must be a host ssh certificate")
+	}
 	return claims.sshCert, []SignOption{
 		// Validate public key
 		&sshDefaultPublicKeyValidator{},

authority/ssh.go

@@ -332,7 +332,7 @@ func (a *Authority) RenewSSH(oldCert *ssh.Certificate) (*ssh.Certificate, error)
 	}
 
 	if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 {
-		return nil, errors.New("rewnewSSh: cannot renew certificate without validity period")
+		return nil, errors.New("rewnewSSH: cannot renew certificate without validity period")
 	}
 	dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
 	va := time.Now()
@@ -457,7 +457,7 @@ func (a *Authority) RekeySSH(oldCert *ssh.Certificate, pub ssh.PublicKey, signOp
 	}
 
 	if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 {
-		return nil, errors.New("rekeySSh: cannot rekey certificate without validity period")
+		return nil, errors.New("rekeySSH: cannot rekey certificate without validity period")
 	}
 	dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
 	va := time.Now()