Use of ssh certificates in a multi server of different kind environment.

Iain Morgan imorgan at
Fri Jul 8 02:34:40 EST 2011

On Thu, Jul 07, 2011 at 07:44:33 -0500, Kevin Denis wrote:
> Hello,
> I'm using ssh certificates for my servers and my users. 
> I have questions about it:
> I can use the same CA in order to certify all my hosts. Every clients can use it, 
> and it's a great setup. But, if I use the same CA for all my clients, it means that 
> any clients can log in to any server because hosts trusts my CA. And it's not a 
> desired behavior. 
> So I made several CAs, one for each type of servers. One for webservers, one 
> for svn servers, one for my cluster, end so on.. and it works, but I have to 
> manage a lot of keys. And certify each kind of users with the right key.
> Is there a way to add in the client certificate the name of the host authorized to 
> log in to? With that I could still use only one CA and certify anyone behind it, a 
> kind of:
> ssh-keygen -s CAKey -I CA -n user1 -O destination_address 
> server1,
> But the destination_address option doesn't exists...
> So, am I doing rights with my multiple CA? Or there is a better way?
> Thanks, 
> Envoyé avec Inmano, ma messagerie renversante et gratuite :

While the certificates do not provide a means of restricting their use
to authenticating against specific servers, there are a variety of ways
to accomplish a similar end.

The most obvious is to only provision accounts on servers for users who
are authorized to access them. However, there may be some circumstances
where this is not practical.

Another approach would be to use the AllowGroups keyword in the
sshd_config and only assign users to the allowed groups if they are
authorized to access the system. Thus, you might have a group for each
class of server for which you wish to authorize access.

You can also provide access control via a PAM such as

If you are using a recent enough version of OpenSSH, you could also use
the AuthorizedPrincipalsFile keyword to specify which principals can
login to a given account. You could then adjust these files on a
host-by-host basis.

Iain Morgan

More information about the openssh-unix-dev mailing list