-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forbid ssh key signing with specified extensions when role allowed_extensions is not set #12847
Forbid ssh key signing with specified extensions when role allowed_extensions is not set #12847
Conversation
f73c63b
to
beee2ae
Compare
…tensions is not set - This is a behaviour change on how we process the allowed_extensions role parameter when it does not contain a value. The previous handling allowed a client to override and specify any extension they requested. - We now require a role to explicitly set this behaviour by setting the parameter to a '*' value which matches the behaviour of other keys such as allowed_users within the role. - No migration of existing roles is provided either, so operators if they truly want this behaviour will need to update existing roles appropriately.
beee2ae
to
181e590
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving in general but feel free to make that modification you comented on.
@@ -0,0 +1,5 @@ | |||
```release-note:breaking-change | |||
secrets/ssh: Roles with empty allowed_extensions will now forbid end-users |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this has to be a single line, though I'm not positive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe it's okay as 11775.txt (https://github.com/hashicorp/vault/blob/main/changelog/11775.txt) is multiple lines and seems to have generated ok: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good to know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
parameter when it does not contain a value. The previous handling allowed
a client to override and specify any extension they requested signing of an ssh key
to a '*' value which matches the behaviour of other keys such as allowed_users
within the role.
want this behaviour will need to update existing roles appropriately.