Dustin C. Hatch
f9ebbbcce9
All checks were successful
dustin/sshca/pipeline/head This commit looks good
According to the *sshd(8)* manual page: > Certificates may encode access restrictions similar to these key > options. If both certificate restrictions and key options are > present, the most restrictive union of the two is applied. This would seem to apply that if a certificate has no restrictions, all features are allowed unless restricted in the `authorized_keys` file. Unfortunately, this is not actually the case. A certificate with no extensions apparently trumps all other configuration. As such, certificates need to explicitly list the features users will need. The list of extensions to add to user certificates is configurable via the `ca.user.extensions` array. The default set should provide a good user experience without being overly permissive.