-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH CA: allowed_users with template expansion fails when the templated item is a list #11038
Comments
Thinks: if the metadata item contained something that the user controlled (e.g. email??), and they could set themselves up with an E-mail address like I just found related issue #10388, where |
Since templating is optional, some of the security around template formatting could be relaxed.
I would like to see one or more of the following;
From reading the code its clear that;
I would suggest that updating the Naturally you can't do everything. Eg, Would Any thoughts? |
The SSH secrets engine previously split the `validPrincipals` field on comma, then if user templating is enabled, evaluated the templates on each substring. This meant the identity template was only ever allowed to return a single principal. There are use cases where it would be helpful for identity metadata to contain a list of valid principals and for the identity template to be able to inject all of those as valid principals. This change inverts the order of processing. First the template is evaluated, and then the resulting string is split on commas. This allows the identity template to return a single comma-separated string with multiple permitted principals. There is a potential security implication here, that if a user is allowed to update their own identity metadata, they may be able to elevate privileges where previously this was not possible. Fixes hashicorp#11038
The SSH secrets engine previously split the `validPrincipals` field on comma, then if user templating is enabled, evaluated the templates on each substring. This meant the identity template was only ever allowed to return a single principal. There are use cases where it would be helpful for identity metadata to contain a list of valid principals and for the identity template to be able to inject all of those as valid principals. This change inverts the order of processing. First the template is evaluated, and then the resulting string is split on commas. This allows the identity template to return a single comma-separated string with multiple permitted principals. There is a potential security implication here, that if a user is allowed to update their own identity metadata, they may be able to elevate privileges where previously this was not possible. Fixes hashicorp#11038
The SSH secrets engine previously split the `validPrincipals` field on comma, then if user templating is enabled, evaluated the templates on each substring. This meant the identity template was only ever allowed to return a single principal. There are use cases where it would be helpful for identity metadata to contain a list of valid principals and for the identity template to be able to inject all of those as valid principals. This change inverts the order of processing. First the template is evaluated, and then the resulting string is split on commas. This allows the identity template to return a single comma-separated string with multiple permitted principals. There is a potential security implication here, that if a user is allowed to update their own identity metadata, they may be able to elevate privileges where previously this was not possible. Fixes hashicorp#11038
The SSH secrets engine previously split the `validPrincipals` field on comma, then if user templating is enabled, evaluated the templates on each substring. This meant the identity template was only ever allowed to return a single principal. There are use cases where it would be helpful for identity metadata to contain a list of valid principals and for the identity template to be able to inject all of those as valid principals. This change inverts the order of processing. First the template is evaluated, and then the resulting string is split on commas. This allows the identity template to return a single comma-separated string with multiple permitted principals. There is a potential security implication here, that if a user is allowed to update their own identity metadata, they may be able to elevate privileges where previously this was not possible. Fixes #11038
…p#16622) The SSH secrets engine previously split the `validPrincipals` field on comma, then if user templating is enabled, evaluated the templates on each substring. This meant the identity template was only ever allowed to return a single principal. There are use cases where it would be helpful for identity metadata to contain a list of valid principals and for the identity template to be able to inject all of those as valid principals. This change inverts the order of processing. First the template is evaluated, and then the resulting string is split on commas. This allows the identity template to return a single comma-separated string with multiple permitted principals. There is a potential security implication here, that if a user is allowed to update their own identity metadata, they may be able to elevate privileges where previously this was not possible. Fixes hashicorp#11038
Describe the bug
Given a template expansion in an SSH role such as
This fails to match principals when the metadata item
ssh_username
is itself a comma-separated list.To Reproduce
Create an SSH CA with
allowed_users
of the form shown above.Case A: create an entity where the metadata is a single item
Case B: create an entity where the metadata is a comma-separated list
In both cases, login to vault as the appropriate entity and attempt to issue a certificate with one permitted principal, e.g.
Expected behavior
I would expect in both case A and B, to be able to issue a certificate with principal "brian"
What happens is that case A works, but case B fails with
It also fails if I pass
valid_principals="brian,ubuntu"
orvalid_principals="root,brian,ubuntu"
. However it succeeds if I passvalid_principals="root"
(since that value is statically present inallowed_principals
)Here is a copy of the entire entity for case B:
Environment:
vault status
): 1.6.2vault version
):Vault v1.6.3 ('b540be4b7ec48d0dd7512c8d8df9399d6bf84d76+CHANGES')
Vault server configuration file(s):
Additional context
This behaviour is consistent with
allowed_users
being split into a list before template expansion is done, i.e. template expansion is done on each list item separately. Whether this is intentional or not is unclear. The syntax looks like it should work as simple inline string expansion, and I couldn't find documentation which says otherwise.I checked SSH API, templated policies, and policy templating tutorial.
SSH API just says:
The text was updated successfully, but these errors were encountered: