CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2025/12/21 18:49:03
Modified files:
usr.bin/ssh : auth2-hostbased.c auth2-pubkey.c
auth2-pubkeyfile.c ssh-agent.c ssh-keygen.c
sshconnect.c sshkey.c sshsig.c sshkey.h
ssh-keygen.1
Log message:
When certificate support was added to OpenSSH, certificates were
originally specified to represent any principal if the principals
list was empty.
This was, in retrospect, a mistake as it created a fail-open
situation if a CA could be convinced to accidentally sign a
certificate with no principals. This actually happened in a 3rd-
party CA product (CVE-2024-7594).
Somewhat fortunately, the main pathway for using certificates in
sshd (TrustedUserCAKeys) never supported empty-principals
certificates, so the blast radius of such mistakes was
substantially reduced.
This change removes this footcannon and requires all certificates
include principals sections. It also fixes interpretation of
wildcard principals, and properly enables them for host
certificates only.
This is a behaviour change that will permanently break uses of
certificates with empty principals sections.
ok markus@
