teleport

mirror of https://github.com/gravitational/teleport synced 2024-10-21 01:34:01 +00:00

History

Russell Jones 9135a5ade7 Use roles and traits in certificate for RBAC. If an attacker can force a username change at an IdP, upon second login, the services.User object of the original user can be updated with new roles and traits. If these new roles and traits differ, the original user can have their privileges raised (or lowered). To mitigate this, encode roles and traits within the certificate and use these when fetching roles to make RBAC decisions. If roles and traits are not encoded within an certificate (for example for old style SSH certificates then fallback to using the services.User object and log a warning.	2019-09-03 13:44:20 -07:00
..
fixtures.go	Use roles and traits in certificate for RBAC.	2019-09-03 13:44:20 -07:00
keys.go	Always validate certificate (or key) algorithm.	2019-03-19 17:47:53 -07:00

Russell Jones 9135a5ade7 Use roles and traits in certificate for RBAC.

If an attacker can force a username change at an IdP, upon second login,
the services.User object of the original user can be updated with new
roles and traits. If these new roles and traits differ, the original
user can have their privileges raised (or lowered).

To mitigate this, encode roles and traits within the certificate and use
these when fetching roles to make RBAC decisions. If roles and traits are
not encoded within an certificate (for example for old style SSH
certificates then fallback to using the services.User object and log a
warning.

2019-09-03 13:44:20 -07:00

fixtures.go

Use roles and traits in certificate for RBAC.

2019-09-03 13:44:20 -07:00

keys.go

Always validate certificate (or key) algorithm.

2019-03-19 17:47:53 -07:00