diff options
author | Lars Wirzenius <liw@liw.fi> | 2023-10-08 18:01:28 +0000 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2023-10-08 18:01:28 +0000 |
commit | dc54c84f8aab5b45722f1e75a5d6607cba8aabae (patch) | |
tree | a6dc02059e5abd728b9822e771d85b17495f48d9 | |
parent | 977c5ba9351ba14fce6e04117d939b50b5deb73f (diff) | |
parent | 5c5acced827408a59bd592c64d6df393823e261c (diff) | |
download | sshca-dc54c84f8aab5b45722f1e75a5d6607cba8aabae.tar.gz |
Merge branch 'tests' into 'main'
tests: make sure user CA can't certify host, and vice versa
See merge request larswirzenius/sshca!68
-rw-r--r-- | sshca.md | 36 |
1 files changed, 36 insertions, 0 deletions
@@ -686,6 +686,25 @@ then stdout contains "myhost" then stdout contains "othername" ~~~ +### Host CA can't certify a user + +_Requirement: we can't certify a user with a host CA._ + +Justification: It must not be easy to make this mistake. + +~~~scenario +given an installed sshca +given file .config/sshca/config.yaml from config.yaml + +when I run ssh-keygen -t ed25519 -N '' -f some_user +when I run sshca user new some_user some_user.pub + +when I run sshca ca new host CAv1 +when I try to run sshca user certify --ca CAv1 some_user +then command fails +then stderr contains "unknown user CA: CAv1" +~~~ + ### By default host certificates are valid for 90 days _Requirement: By default, host certificates should be valid a limited time._ @@ -987,6 +1006,23 @@ when I run ssh-keygen -L -f my.cert then stdout matches regex Valid: from \d+-\d+-\d+T\d+:\d+:\d+ to \d+-\d+-\d+T\d+:\d+:\d+ ~~~ +### User CA can't certify a host + +_Requirement: we can't certify a host with a user CA._ + +Justification: It must not be easy to make this mistake. + +~~~scenario +given an installed sshca +given file .config/sshca/config.yaml from config.yaml + +when I run sshca host generate myhost -p myhost -p othername + +when I run sshca ca new user CAv1 +when I try to run sshca host certify --ca CAv1 myhost +then command fails +then stderr contains "unknown host CA: CAv1" +~~~ # SEE ALSO * [ssh-keygen manual page](https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html#CERTIFICATES) |