Globs in SSH engine's `allowed_users`

sarfarazahmad89 · June 2, 2022, 2:39pm

Hi,

I can;t understand why globs or regular expressions are not supported in the allowed_users parameter of the SSH engine (for security reasons?) . I want to configure a SSH certificate signer role where allowed_users are like,

  "allowed_users_template": true,
  "allowed_users": "{{identity.entity.aliases.auth_ldap_bla_blah_blah.name}}", myprefix-*

But it seems it either has to be a strict string or a generic complete open wildcard (*)

Thoughts?

maxb · June 2, 2022, 3:59pm

It might simply be that when the functionality was originally being designed, the people involved went with the simplest design to describe and code.

There are, annoyingly, quite a few different implementations of wildcard matching in different parameters throughout Vault

Topic		Replies	Views
PKI - Issue with role and glob patterns Vault	1	895	September 27, 2023
SSH secrets provider and identity templating Vault	2	985	August 20, 2021
Vault SSH CA can't get allowed_users_template to work Vault vault	2	1084	January 27, 2022
Templated role glob *([a-z]) not working Vault	1	294	April 28, 2022
Key and value limits for key value pairs Vault kv , vault	2	1554	March 6, 2022

Globs in SSH engine's `allowed_users`

Related topics