From fb7f57a8dff77edcaea1271d79943c6cd17f69df Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Wed, 27 Jul 2022 23:30:00 -0700
Subject: [PATCH 1/2] Add attribute to disable SSH Hosts list API

---
 authority/config/config.go | 21 +++++++++++----------
 authority/ssh.go           |  3 +++
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/authority/config/config.go b/authority/config/config.go
index c764e8f9..71f92830 100644
--- a/authority/config/config.go
+++ b/authority/config/config.go
@@ -92,16 +92,17 @@ type ASN1DN struct {
 // cas.Options.
 type AuthConfig struct {
 	*cas.Options
-	AuthorityID          string                `json:"authorityId,omitempty"`
-	DeploymentType       string                `json:"deploymentType,omitempty"`
-	Provisioners         provisioner.List      `json:"provisioners,omitempty"`
-	Admins               []*linkedca.Admin     `json:"-"`
-	Template             *ASN1DN               `json:"template,omitempty"`
-	Claims               *provisioner.Claims   `json:"claims,omitempty"`
-	Policy               *policy.Options       `json:"policy,omitempty"`
-	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
-	Backdate             *provisioner.Duration `json:"backdate,omitempty"`
-	EnableAdmin          bool                  `json:"enableAdmin,omitempty"`
+	AuthorityID            string                `json:"authorityId,omitempty"`
+	DeploymentType         string                `json:"deploymentType,omitempty"`
+	Provisioners           provisioner.List      `json:"provisioners,omitempty"`
+	Admins                 []*linkedca.Admin     `json:"-"`
+	Template               *ASN1DN               `json:"template,omitempty"`
+	Claims                 *provisioner.Claims   `json:"claims,omitempty"`
+	Policy                 *policy.Options       `json:"policy,omitempty"`
+	DisableIssuedAtCheck   bool                  `json:"disableIssuedAtCheck,omitempty"`
+	Backdate               *provisioner.Duration `json:"backdate,omitempty"`
+	EnableAdmin            bool                  `json:"enableAdmin,omitempty"`
+	DisableSSHHostsListAPI bool                  `json:"disableSSHHostsListAPI,omitempty"`
 }
 
 // init initializes the required fields in the AuthConfig if they are not
diff --git a/authority/ssh.go b/authority/ssh.go
index 1fd7f2e8..04f9c2ac 100644
--- a/authority/ssh.go
+++ b/authority/ssh.go
@@ -602,6 +602,9 @@ func (a *Authority) CheckSSHHost(ctx context.Context, principal, token string) (
 
 // GetSSHHosts returns a list of valid host principals.
 func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error) {
+	if a.GetConfig().AuthorityConfig.DisableSSHHostsListAPI {
+		return nil, errs.New(http.StatusNotFound, "ssh hosts list api disabled")
+	}
 	if a.sshGetHostsFunc != nil {
 		hosts, err := a.sshGetHostsFunc(ctx, cert)
 		return hosts, errs.Wrap(http.StatusInternalServerError, err, "getSSHHosts")

From 99c915546765598ba9a2fca39ca14d8ebeaff9de Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Thu, 4 Aug 2022 18:44:44 -0700
Subject: [PATCH 2/2] disableSSHHostsListAPI -> disableGetSSHHosts

---
 authority/config/config.go | 22 +++++++++++-----------
 authority/ssh.go           |  2 +-
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/authority/config/config.go b/authority/config/config.go
index 71f92830..ad645b69 100644
--- a/authority/config/config.go
+++ b/authority/config/config.go
@@ -92,17 +92,17 @@ type ASN1DN struct {
 // cas.Options.
 type AuthConfig struct {
 	*cas.Options
-	AuthorityID            string                `json:"authorityId,omitempty"`
-	DeploymentType         string                `json:"deploymentType,omitempty"`
-	Provisioners           provisioner.List      `json:"provisioners,omitempty"`
-	Admins                 []*linkedca.Admin     `json:"-"`
-	Template               *ASN1DN               `json:"template,omitempty"`
-	Claims                 *provisioner.Claims   `json:"claims,omitempty"`
-	Policy                 *policy.Options       `json:"policy,omitempty"`
-	DisableIssuedAtCheck   bool                  `json:"disableIssuedAtCheck,omitempty"`
-	Backdate               *provisioner.Duration `json:"backdate,omitempty"`
-	EnableAdmin            bool                  `json:"enableAdmin,omitempty"`
-	DisableSSHHostsListAPI bool                  `json:"disableSSHHostsListAPI,omitempty"`
+	AuthorityID          string                `json:"authorityId,omitempty"`
+	DeploymentType       string                `json:"deploymentType,omitempty"`
+	Provisioners         provisioner.List      `json:"provisioners,omitempty"`
+	Admins               []*linkedca.Admin     `json:"-"`
+	Template             *ASN1DN               `json:"template,omitempty"`
+	Claims               *provisioner.Claims   `json:"claims,omitempty"`
+	Policy               *policy.Options       `json:"policy,omitempty"`
+	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
+	Backdate             *provisioner.Duration `json:"backdate,omitempty"`
+	EnableAdmin          bool                  `json:"enableAdmin,omitempty"`
+	DisableGetSSHHosts   bool                  `json:"disableGetSSHHosts,omitempty"`
 }
 
 // init initializes the required fields in the AuthConfig if they are not
diff --git a/authority/ssh.go b/authority/ssh.go
index 04f9c2ac..d8d5375c 100644
--- a/authority/ssh.go
+++ b/authority/ssh.go
@@ -602,7 +602,7 @@ func (a *Authority) CheckSSHHost(ctx context.Context, principal, token string) (
 
 // GetSSHHosts returns a list of valid host principals.
 func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error) {
-	if a.GetConfig().AuthorityConfig.DisableSSHHostsListAPI {
+	if a.GetConfig().AuthorityConfig.DisableGetSSHHosts {
 		return nil, errs.New(http.StatusNotFound, "ssh hosts list api disabled")
 	}
 	if a.sshGetHostsFunc != nil {