open-vault

Commit Graph

Author	SHA1	Message	Date
Steven Clark	3428de017a	Forbid ssh key signing with specified extensions when role allowed_extensions is not set (#12847 ) * Forbid ssh key signing with specified extensions when role allowed_extensions is not set - This is a behaviour change on how we process the allowed_extensions role parameter when it does not contain a value. The previous handling allowed a client to override and specify any extension they requested. - We now require a role to explicitly set this behaviour by setting the parameter to a '*' value which matches the behaviour of other keys such as allowed_users within the role. - No migration of existing roles is provided either, so operators if they truly want this behaviour will need to update existing roles appropriately.	2021-10-15 17:55:18 -04:00

Author

SHA1

Message

Date

Steven Clark

3428de017a

Forbid ssh key signing with specified extensions when role allowed_extensions is not set (#12847 )

* Forbid ssh key signing with specified extensions when role allowed_extensions is not set

 - This is a behaviour change on how we process the allowed_extensions role
   parameter when it does not contain a value. The previous handling allowed
   a client to override and specify any extension they requested.
 - We now require a role to explicitly set this behaviour by setting the parameter
   to a '*' value which matches the behaviour of other keys such as allowed_users
   within the role.
 - No migration of existing roles is provided either, so operators if they truly
   want this behaviour will need to update existing roles appropriately.

2021-10-15 17:55:18 -04:00

1 Commits