openssh bugs - Dec 2014 - [Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys

https://bugzilla.mindrot.org/show_bug.cgi?id=2328

            Bug ID: 2328
           Summary: Per-user certificate revocation list (CRL) in
                    authorized_keys
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot.org at pobox.madduck.net

I can tag a punkey `cert-authority` in authorized_keys, allowing every
user to administer their own CA for SSH logins. This is very cool,
thanks for that feature.

Unfortunately, this only makes sense if each user also manages a
corresponding CRL. However, this seems only possible in `sshd_config`,
meaning users cannot control it themselves trivially, and there's also
a namespacing issue / the possibility of users interfering with each
other. Finally, I might want to revoke access for a key from one
account but not another.

Hence, it would be cool if I could specify in `authorized_keys`
something akin to:

  cert-authority,crl-file="revoked-certs",command="?"
ssh-rsa ?

and have `sshd` consult the CRL in `~/.ssh/revoked-certs` (or an
absolute path) when deciding whether to authenticate/authorize a login.

Thanks,
-m

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2328

--- Comment #1 from martin f. krafft <bugzilla.mindrot.org at
pobox.madduck.net> ---
It just occured to me that this could probably trivially be enabled
giving access to %h and %u like AuthorizedKeysFile to sshd_config's
RevokedKeys. It would still mean only one CRL per user, whereas a
pointer in the actual authorized_keys file would mean one CRL per CA,
which is what it should be.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2328

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Having authorized_keys refer to other files is probably too much work
(it's tricky because of privilege separation), but it should at least
support revoking specific keys.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2328

Jordan Macdonald <macdjord at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |macdjord at gmail.com

--- Comment #3 from Jordan Macdonald <macdjord at gmail.com> ---
Created a new bug report for the suggestion to define per-user (rather
than per-cert) revocation lists:
https://bugzilla.mindrot.org/show_bug.cgi?id=3204

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2328

Jordan Macdonald <macdjord at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.mindrot.or
                   |                            |g/show_bug.cgi?id=3204

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.