Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

identity propagation in ssh secrets engine #7547

Closed
fredrikhgrelland opened this issue Oct 2, 2019 · 3 comments
Closed

identity propagation in ssh secrets engine #7547

fredrikhgrelland opened this issue Oct 2, 2019 · 3 comments

Comments

@fredrikhgrelland
Copy link
Contributor

Is your feature request related to a problem? Please describe.
At the moment it is not possible to enforce identity mapping from vault to ssh login using the ssh secrets engine for CA authentication. When creating a ssh signing role; setting allowed_users to '*' enables anyone attached to this role to impersonate any os user.

Describe the solution you'd like
Extending the allowed_users field with a new special character '?'
In path_sign.go we test the valid_principals filed against the authenticated users name.
The resulting signed public key will contain only the authenticated users name.

Describe alternatives you've considered
In order to enforce vault user to os user mapping we must create one role pr user. This does not scale and requires puppet or the like to update the trusts in each and every server.

Additional context
Implementation in PR relies on parsing the request DisplayName, as I could not find any way of accessing Identity alias or the like from this context.

@fredrikhgrelland
Copy link
Contributor Author

fredrikhgrelland commented Oct 2, 2019

PR: #7548

@jefferai
Copy link
Member

jefferai commented Oct 2, 2019

More or less a duplicate of #6056.

@michelvocks
Copy link
Contributor

Closing this in favor of #6056

fredrikhgrelland pushed a commit to fredrikhgrelland/vault that referenced this issue Jan 29, 2020
briankassouf pushed a commit that referenced this issue Feb 15, 2020
* identity propagation in ssh secrets engine #7547

* flag to enable templating allowed_users ssh (ca) secrets backend.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants