3428de017a
* Forbid ssh key signing with specified extensions when role allowed_extensions is not set - This is a behaviour change on how we process the allowed_extensions role parameter when it does not contain a value. The previous handling allowed a client to override and specify any extension they requested. - We now require a role to explicitly set this behaviour by setting the parameter to a '*' value which matches the behaviour of other keys such as allowed_users within the role. - No migration of existing roles is provided either, so operators if they truly want this behaviour will need to update existing roles appropriately.
6 lines
269 B
Plaintext
6 lines
269 B
Plaintext
```release-note:breaking-change
|
|
secrets/ssh: Roles with empty allowed_extensions will now forbid end-users
|
|
specifying extensions when requesting ssh key signing. Update roles setting
|
|
allowed_extensions to '*' to permit any extension to be specified by an end-user.
|
|
```
|