Unintentional Identity file signing #26
Comments
pecigonzalo
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
pecigonzalo
changed the title
Hi, while troubleshooting some unrelated problems I noticed this client is generated signed key certs for any identity that we use in the in the ssh command.
The culprit seems to be this:
https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L171
called here:
https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L448
Given an ssh config as recommended:
If we are to call any other ssh command as:
ssh -i ~/.ssh/mykey user@hostand we didn't have a filter on
domain_regex:blessclient will still generate and sign themykeykey.While I believe this could be in some case desired functionality(when doing
sshwrapping instead of ssh config), I think it might be better to just let it toggle via an env var or the existingBLESS_IDENTITYFILEas in most cases than not if you specify a particular identity on the command line, you want to use exactly that to auth and signing is unnecessary.If this is accepted I can create a PR to cleanup/implement this.
The text was updated successfully, but these errors were encountered: