python-blessclient icon indicating copy to clipboard operation
python-blessclient copied to clipboard
verified publisher icon lyft

Unintentional Identity file signing

Open pecigonzalo opened this issue 8 years ago • 0 comments

Hi, while troubleshooting some unrelated problems I noticed this client is generated signed key certs for any identity that we use in the in the ssh command. The culprit seems to be this: https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L171

called here: https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L448

Given an ssh config as recommended:

Match exec "env | grep -q BLESS_COMPLETE || /Users/stype/blessclient/blessclient.run --gui --host '%h'"
	IdentityFile ~/.ssh/blessid

If we are to call any other ssh command as: ssh -i ~/.ssh/mykey user@host and we didn't have a filter on domain_regex: blessclient will still generate and sign the mykey key.

While I believe this could be in some case desired functionality(when doing ssh wrapping instead of ssh config), I think it might be better to just let it toggle via an env var or the existing BLESS_IDENTITYFILE as in most cases than not if you specify a particular identity on the command line, you want to use exactly that to auth and signing is unnecessary.

If this is accepted I can create a PR to cleanup/implement this.

pecigonzalo avatar Jan 09 '18 16:01 pecigonzalo