-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
identity propagation in ssh secrets engine #7547
Comments
PR: #7548 |
More or less a duplicate of #6056. |
Closing this in favor of #6056 |
fredrikhgrelland
pushed a commit
to fredrikhgrelland/vault
that referenced
this issue
Jan 29, 2020
briankassouf
pushed a commit
that referenced
this issue
Feb 15, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
At the moment it is not possible to enforce identity mapping from vault to ssh login using the ssh secrets engine for CA authentication. When creating a ssh signing role; setting allowed_users to '*' enables anyone attached to this role to impersonate any os user.
Describe the solution you'd like
Extending the allowed_users field with a new special character '?'
In path_sign.go we test the valid_principals filed against the authenticated users name.
The resulting signed public key will contain only the authenticated users name.
Describe alternatives you've considered
In order to enforce vault user to os user mapping we must create one role pr user. This does not scale and requires puppet or the like to update the trusts in each and every server.
Additional context
Implementation in PR relies on parsing the request DisplayName, as I could not find any way of accessing Identity alias or the like from this context.
The text was updated successfully, but these errors were encountered: