I can tag a punkey `cert-authority` in authorized_keys, allowing every user to administer their own CA for SSH logins. This is very cool, thanks for that feature. Unfortunately, this only makes sense if each user also manages a corresponding CRL. However, this seems only possible in `sshd_config`, meaning users cannot control it themselves trivially, and there's also a namespacing issue / the possibility of users interfering with each other. Finally, I might want to revoke access for a key from one account but not another. Hence, it would be cool if I could specify in `authorized_keys` something akin to: cert-authority,crl-file="revoked-certs",command="…" ssh-rsa … and have `sshd` consult the CRL in `~/.ssh/revoked-certs` (or an absolute path) when deciding whether to authenticate/authorize a login. Thanks, -m
It just occured to me that this could probably trivially be enabled giving access to %h and %u like AuthorizedKeysFile to sshd_config's RevokedKeys. It would still mean only one CRL per user, whereas a pointer in the actual authorized_keys file would mean one CRL per CA, which is what it should be.
Having authorized_keys refer to other files is probably too much work (it's tricky because of privilege separation), but it should at least support revoking specific keys.
Created a new bug report for the suggestion to define per-user (rather than per-cert) revocation lists: https://bugzilla.mindrot.org/show_bug.cgi?id=3204