coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

Audit ssh attack surface for CVE-2026-35414 OpenSSH commas-in-cert-principals #71

New issue
Open
opened 2026-05-23 20:54:37 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:37 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-03T19:53:52Z - https://github.com/coilysiren/infrastructure/issues/90

🤖 Filed by Claude Code on Kai's behalf.

CVE-2026-35414 surfaced in TLDR (2026-04-28): a 15-year-old OpenSSH bug where a code-reuse error allows commas in SSH certificate principals, breaking principal-based authorization. Worth a quick audit because coily ssh kai-server is the daily privileged path into the homelab.

What to check

  • sshd version on kai-server vs the CVE's affected range. ssh -V locally and ssh kai-server 'sshd -V 2>&1 || /usr/sbin/sshd -V 2>&1'.
  • Whether kai-server's sshd actually uses cert-based auth with principals constraints, or just plain authorized_keys. If it's authorized_keys only, this CVE is not exploitable here. (Pretty sure it's the latter, but verify.)
  • Same check on any other host coily reaches (GH Actions runners that ssh in, etc.).
  • If affected: pin the upgrade path. Debian/Ubuntu security backport vs source build.

Relation to gauntlet

Tangentially related, not a direct gauntlet trial:

  • gauntlet attacks HTTP APIs for authorization/ownership/input invariants. SSH cert-principal parsing is out of scope for the current gauntlet shape (no HTTP surface).
  • BUT the underlying pattern - "auth identifier parser accepts a delimiter that the authz layer treats as a separator" - is exactly the class of bug gauntlet's Inspector should be primed to look for in HTTP services. Worth adding a recurring-failure pattern to gauntlet's prior catalog: delimiter-injection in identity claims (commas, semicolons, nulls, unicode lookalikes inside usernames/org-slugs/principal lists that get split or joined downstream).
  • Action item if confirmed valuable: open a follow-up in coilysiren/gauntlet to seed an attacker plan template around delimiter injection in identity fields.

Other items from the same TLDR (lower priority, not blocking)

  • Checkmarx GitHub-org compromise: review whether any coilysiren/* repo has Checkmarx as an installed app/integration. If yes, audit + rotate.
  • CloudFlare AI-reviewer rollout: not actionable, just market signal.

Source

TLDR newsletter, dan@tldrnewsletter.com, 2026-04-28. Item titled "15-Year OpenSSH Root Bug, Checkmarx GitHub Breach, CloudFlare AI Reviews At Scale."

🤖 Filed by Claude Code on Kai's behalf.

Moved from coilysiren/coilyco-ai#23.

_Originally filed by @coilysiren on 2026-05-03T19:53:52Z - [https://github.com/coilysiren/infrastructure/issues/90](https://github.com/coilysiren/infrastructure/issues/90)_ > 🤖 Filed by Claude Code on Kai's behalf. CVE-2026-35414 surfaced in TLDR (2026-04-28): a 15-year-old OpenSSH bug where a code-reuse error allows commas in SSH certificate principals, breaking principal-based authorization. Worth a quick audit because `coily ssh kai-server` is the daily privileged path into the homelab. ## What to check - [ ] sshd version on `kai-server` vs the CVE's affected range. `ssh -V` locally and `ssh kai-server 'sshd -V 2>&1 || /usr/sbin/sshd -V 2>&1'`. - [ ] Whether kai-server's sshd actually uses cert-based auth with `principals` constraints, or just plain authorized_keys. If it's authorized_keys only, this CVE is not exploitable here. (Pretty sure it's the latter, but verify.) - [ ] Same check on any other host coily reaches (GH Actions runners that ssh in, etc.). - [ ] If affected: pin the upgrade path. Debian/Ubuntu security backport vs source build. ## Relation to gauntlet Tangentially related, not a direct gauntlet trial: - gauntlet attacks HTTP APIs for authorization/ownership/input invariants. SSH cert-principal parsing is out of scope for the current gauntlet shape (no HTTP surface). - BUT the underlying pattern - "auth identifier parser accepts a delimiter that the authz layer treats as a separator" - is exactly the class of bug gauntlet's Inspector should be primed to look for in HTTP services. Worth adding a recurring-failure pattern to gauntlet's prior catalog: **delimiter-injection in identity claims** (commas, semicolons, nulls, unicode lookalikes inside usernames/org-slugs/principal lists that get split or joined downstream). - Action item if confirmed valuable: open a follow-up in `coilysiren/gauntlet` to seed an attacker plan template around delimiter injection in identity fields. ## Other items from the same TLDR (lower priority, not blocking) - Checkmarx GitHub-org compromise: review whether any coilysiren/* repo has Checkmarx as an installed app/integration. If yes, audit + rotate. - CloudFlare AI-reviewer rollout: not actionable, just market signal. ## Source TLDR newsletter, dan@tldrnewsletter.com, 2026-04-28. Item titled "15-Year OpenSSH Root Bug, Checkmarx GitHub Breach, CloudFlare AI Reviews At Scale." > 🤖 Filed by Claude Code on Kai's behalf. --- *Moved from coilysiren/coilyco-ai#23.*
coilysiren added
P4
 and removed
P3
 labels 2026-05-31 07:00:45 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#71
No description provided.