From documentation: valid_principals (string: "") – Specifies valid principals, either usernames or hostnames, that the certificate should be signed for.
What Am I missing?
curl -k --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"public_key":"ssh-ed25519 AA*** host.example.com", "cert_type":"host", "valid_principals":"host.example.com"}' $VAULT_ADDR/v1/ssh-host-ca/sign/hostrole | jq
{
"errors": [
"host.example.com is not a valid value for valid_principals"
]
}
1 Like
The principal string isn’t a DNS name but just a standard string. You then list the allowed principals on the SSH server config side which has to match (so the cert contains a single string and the server contains a list of allowable strings).
This does not help at all…
The solution was to enable in signing role: Allow subdomains Yes
Documentation does not mention that valid_principals field is validated against something. I found it while reading bug reports:
opened 01:59PM - 19 Jul 19 UTC
enhancement
core/policy
**Is your feature request related to a problem? Please describe.**
The busine… ss problem this is trying to solve is that i wish to have my users not care about what principals they have access to. When they request a cert i'm wanting to sign it with all the valid principals they have.
I have locked down our vault pretty securely so for signing certificates I have multiple policies
Policy 1:
```
path "ssh-client-signer/*" {
capabilities = ["create", "read", "update", "delete", "list"]
allowed_parameters = {
"valid_principals" = ["server1"]
"*" = []
}
}
```
Policy 2:
```
path "ssh-client-signer/*" {
capabilities = ["create", "read", "update", "delete", "list"]
allowed_parameters = {
"valid_principals" = ["server2"]
"*" = []
}
}
```
Policy 3:
```
path "ssh-client-signer/*" {
capabilities = ["create", "read", "update", "delete", "list"]
allowed_parameters = {
"valid_principals" = ["server3"]
"*" = []
}
}
```
When signing a certificate i can make a request as below
```
vault write ssh-client-signer/sign/my-role -<<"EOH"
{
"public_key": "ssh-rsa ***",
"valid_principals": "server1",
"extension": {
"permit-pty": ""
}
}
EOH
```
and it works for any of the 3 servers. But if i try and make valid_principals a combination of the 3 servers
(ie "valid_principals" : "server1, server2" ) then it does not allow me to sign it because of permissions
**Describe the solution you'd like**
valid_principals in policies to be treated like a list and each individual item in the list evaluated against policies. Something like below
```
vault write ssh-client-signer/sign/my-role -<<"EOH"
{
"public_key": "ssh-rsa ***",
"valid_principals": [ "server1", "server2", "server3" ] ,
"extension": {
"permit-pty": ""
}
}
EOH
```
or
```
vault write ssh-client-signer/sign/my-role -<<"EOH"
{
"public_key": "ssh-rsa ***",
"valid_principals": "server1, server2, server3" ] ,
"extension": {
"permit-pty": ""
}
}
EOH
```
and that should allow the user to sign even if the policies are separated out in different policy templates
1 Like