Use of ssh certificates in a multi server of different kind environment.

Damien Miller djm at
Fri Jul 8 13:17:13 EST 2011

On Thu, 7 Jul 2011, Kevin Denis wrote:

> Hello,
> [if I'm not in the right mailing list, please advise it to me]
> I'm using ssh certificates for my servers and my users. 
> I have questions about it:
> I can use the same CA in order to certify all my hosts. Every clients can use it, 
> and it's a great setup. But, if I use the same CA for all my clients, it means that 
> any clients can log in to any server because hosts trusts my CA. And it's not a 
> desired behavior. 
> So I made several CAs, one for each type of servers. One for webservers, one 
> for svn servers, one for my cluster, end so on.. and it works, but I have to 
> manage a lot of keys. And certify each kind of users with the right key.
> Is there a way to add in the client certificate the name of the host authorized to 
> log in to? With that I could still use only one CA and certify anyone behind it, a 
> kind of:

Yes, you can do this using principals:

ssh-keygen -s CAKey -I username -n username at host1.allowed,username at host2.allowed key

Set "AuthorizedPrincipalsFile .ssh/authorized_principals" in sshd_config
on each of the hosts that trust CAKey.

Finally, populate ~/.ssh/authorized_principals for each user you want to allow
to contain "username at". Hosts where the name from authorized_principals
match the name in the ssh-keygen principals list will permit access to the user.

This would be easier if it were possible to expand the host's name in
authorized_principals. Then you could have "%u@%h" or somesuch in each one and
it would do the right thing everywhere.


More information about the openssh-unix-dev mailing list