Set not extensions to host certificates.

5 years ago · 53f62f871c
parent 48c98dea2a
commit 53f62f871c
3 changed files with 21 additions and 13 deletions
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -179,8 +179,6 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) {
 	signOptions := []SignOption{
 		// validates user's SSHOptions with the ones in the token
 		&sshCertificateOptionsValidator{opts},
-		// set the default extensions
-		&sshDefaultExtensionModifier{},
 		// set the key id to the token subject
 		sshCertificateKeyIDModifier(claims.Subject),
 	}
@ -200,6 +198,8 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) {
 	}

 	return append(signOptions,
+		// set the default extensions
+		&sshDefaultExtensionModifier{},
 		// checks the validity bounds, and set the validity if has not been set
 		&sshCertificateValidityModifier{p.claimer},
 		// require all the fields in the SSH certificate
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -299,8 +299,6 @@ func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error {
 // authorizeSSHSign returns the list of SignOption for a SignSSH request.
 func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) {
 	signOptions := []SignOption{
-		// set the default extensions
-		&sshDefaultExtensionModifier{},
 		// set the key id to the token subject
 		sshCertificateKeyIDModifier(claims.Email),
 	}
@ -320,6 +318,8 @@ func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) {
 	}

 	return append(signOptions,
+		// set the default extensions
+		&sshDefaultExtensionModifier{},
 		// checks the validity bounds, and set the validity if has not been set
 		&sshCertificateValidityModifier{o.claimer},
 		// require all the fields in the SSH certificate
--- a/authority/provisioner/sign_ssh_options.go
+++ b/authority/provisioner/sign_ssh_options.go
@ -148,15 +148,23 @@ func (m sshCertificateValidBeforeModifier) Modify(cert *ssh.Certificate) error {
 type sshDefaultExtensionModifier struct{}

 func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate) error {
-	if cert.Extensions == nil {
-		cert.Extensions = make(map[string]string)
+	switch cert.CertType {
+	// Default to no extensions to HostCert
+	case ssh.HostCert:
+		return nil
+	case ssh.UserCert:
+		if cert.Extensions == nil {
+			cert.Extensions = make(map[string]string)
+		}
+		cert.Extensions["permit-X11-forwarding"] = ""
+		cert.Extensions["permit-agent-forwarding"] = ""
+		cert.Extensions["permit-port-forwarding"] = ""
+		cert.Extensions["permit-pty"] = ""
+		cert.Extensions["permit-user-rc"] = ""
+		return nil
+	default:
+		return errors.New("ssh certificate type has not been set or is invalid")
 	}
-	cert.Extensions["permit-X11-forwarding"] = ""
-	cert.Extensions["permit-agent-forwarding"] = ""
-	cert.Extensions["permit-port-forwarding"] = ""
-	cert.Extensions["permit-pty"] = ""
-	cert.Extensions["permit-user-rc"] = ""
-	return nil
 }

 // sshCertificateValidityModifier is a SSHCertificateModifier checks the
@ -240,7 +248,7 @@ func (v *sshCertificateDefaultValidator) Valid(crt *ssh.Certificate) error {
 		return errors.New("ssh certificate valid after cannot be 0")
 	case crt.ValidBefore == 0:
 		return errors.New("ssh certificate valid before cannot be 0")
-	case len(crt.Extensions) == 0:
+	case crt.CertType == ssh.UserCert && len(crt.Extensions) == 0:
 		return errors.New("ssh certificate extensions cannot be empty")
 	case crt.SignatureKey == nil:
 		return errors.New("ssh certificate signature key cannot be nil")