Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH: add not_before to precisely set validity window start timestamp (Vault #24084) #485

Open
cipherboy opened this issue Aug 23, 2024 · 5 comments · May be fixed by #487 or #503
Open

SSH: add not_before to precisely set validity window start timestamp (Vault #24084) #485

cipherboy opened this issue Aug 23, 2024 · 5 comments · May be fixed by #487 or #503
Assignees
@vhespanha
Labels
feature New feature or request good first issue Good for newcomers help wanted Extra attention is needed secrets/ssh Related to the ssh secrets engine

Comments

@cipherboy
Copy link
Member

As reported by @mehmetakbulut on #24084:

Is your feature request related to a problem? Please describe. It is not possible to set validity window start to a specific value currently. This is because not_before_duration field accepts a duration to be set at configuration-time.

Describe the solution you'd like not_before field should be added to accept an absolute timestamp.

Describe alternatives you've considered

1. Add toggle to disable validity window. This would work for some use-cases but not for all.

2. Use special or large value to make `not_before_duration` work. This does not work currently because of underflow.

Explain any additional use-cases

1. Many air-gapped system without GPS and/or RTC bootup with their clocks set to Unix epoch. These cannot accept a validity window starting at `utc_now - not_before_duration`.

2. Certificates could be generated ahead-of-time for key rotation or other similar exercise with a future `not_before` date and remain invalid until rotation occurs.

Additional context See #13608

This sounds like a good improvement and helps bring parity with PKI's implementation.
@cipherboy cipherboy added good first issue Good for newcomers help wanted Extra attention is needed feature New feature or request labels Aug 23, 2024
@vhespanha
Copy link

I'll be working on this one today, care to assign it to me?

@cipherboy
Copy link
Member Author

@vhespanha Sounds great, let me know if you have any questions!

@vhespanha
Copy link

Thanks a lot!

@vhespanha vhespanha linked a pull request Aug 24, 2024 that will close this issue
Draft
2 tasks
@vhespanha
Copy link

Got to a working build and decided to open the PR, if it's all clear I'll proceed to the rest of the code and refactor the current one a little. Thanks a lot.

@cipherboy cipherboy mentioned this issue Aug 24, 2024
Closed
@mehmetakbulut
Copy link

This is looking great!

@vhespanha vhespanha linked a pull request Sep 3, 2024 that will close this issue
Draft
@cipherboy cipherboy added the secrets/ssh Related to the ssh secrets engine label Sep 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vhespanha vhespanha

Labels
feature New feature or request good first issue Good for newcomers help wanted Extra attention is needed secrets/ssh Related to the ssh secrets engine
Projects
None yet
Milestone
No milestone
3 participants
@cipherboy @mehmetakbulut @vhespanha