Vault has no control on extentions , Its allowing any one to signing on behalf of others ,

While trying to signing the Github CA its allowing any users can sign for anyone ,

XXX user can sign on behalf of YYY user, ,so that GitHub allowing all the permission for XXX who don’t have any access,

vault write ssh-new/sign/developer -<<EOH
{
“public_key”: “$PUBLIC_KEY”,
“extensions”: {
login@github.com”:""
}
}
EOH

vault write ssh/roles/developer -<<“EOH”
{
“allow_user_certificates”: true,
“allowed_users”: “*”,
“allowed_extensions”: “login@github.com”,
“key_type”: “ca”,
“ttl”: “120h”,
“max_ttl”: “120h”,
“default_extensions”: {“login@github.com”: “{{identity.entity.aliases.auth_oidc_a2b8f018.name}}”}
}
EOH