Bug 2328

Summary: Per-user certificate revocation list (CRL) in authorized_keys
Product: Portable OpenSSH Reporter: martin ➬ <bugzilla.mindrot.org>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: djm, macdjord
Priority: P5    
Version: 6.7p1   
Hardware: Other   
OS: Linux   
See Also: https://bugzilla.mindrot.org/show_bug.cgi?id=3204

Description martin ➬ 2014-12-22 20:07:28 AEDT 
I can tag a punkey `cert-authority` in authorized_keys, allowing every user to administer their own CA for SSH logins. This is very cool, thanks for that feature.

Unfortunately, this only makes sense if each user also manages a corresponding CRL. However, this seems only possible in `sshd_config`, meaning users cannot control it themselves trivially, and there's also a namespacing issue / the possibility of users interfering with each other. Finally, I might want to revoke access for a key from one account but not another.

Hence, it would be cool if I could specify in `authorized_keys` something akin to:

  cert-authority,crl-file="revoked-certs",command="…" ssh-rsa …

and have `sshd` consult the CRL in `~/.ssh/revoked-certs` (or an absolute path) when deciding whether to authenticate/authorize a login.

Thanks,
-m
Comment 1 martin ➬ 2014-12-22 22:41:46 AEDT 
It just occured to me that this could probably trivially be enabled giving access to %h and %u like AuthorizedKeysFile to sshd_config's RevokedKeys. It would still mean only one CRL per user, whereas a pointer in the actual authorized_keys file would mean one CRL per CA, which is what it should be.
Comment 2 Damien Miller 2014-12-23 09:30:51 AEDT 
Having authorized_keys refer to other files is probably too much work (it's tricky because of privilege separation), but it should at least support revoking specific keys.
Comment 3 Jordan Macdonald 2020-08-29 09:34:56 AEST 
Created a new bug report for the suggestion to define per-user (rather than per-cert) revocation lists: https://bugzilla.mindrot.org/show_bug.cgi?id=3204