Using multiple certificates for a given private key

[Ryan Kavanagh]

Hi,

I'm experimenting with certificates for users, giving access via the
TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of
one certificate per SSH key on the user's side, which prevents using the
same key for hosts using different TrustedUserCAKeys. Is there a clean
way around this?

To make the above clearer, consider the following situation:

A collection of hosts is partitioned into A hosts and B hosts, and we
have a CA key for the A hosts and one for the B hosts. Bob is a special
user and is granted access to hosts in both the A and the B clusters,
and so after sending his id_ecdsa.pub public key to the A and B CA key
maintainers, gets back two id_ecdsa-cert.pub certificates, one granting
him access to the A cluster, the other to the B cluster.

Bob is however stuck in that ssh only looks at the file
~/.ssh/id_ecdsa-cert.pub for a certificate for his id_ecdsa key. If he
puts A's certificate at that location, he can't login to B using B's
certificate, and vice-versa. If he puts both certificates into
~/.ssh/id_ecdsa-cert.pub, ssh only uses the top one.

Is there any resolution for Bob short of making two copies of
~/.ssh/id_ecdsa, ~/.ssh/id_ecdsaA and ~/.ssh/id_ecdsaB, and similarly
for ~/.ssh/id_ecdsa.pub, and placing the A and B certificates at
~/.ssh/id_ecdsaA-cert.pub and ~/.ssh/id_ecdsaB-cert.pub respectively,
thereby creating two copies of the key, each with its own certificate?

Looking at the source code, it looks as though not: key_load_cert
(authfile.c) calls key_try_load_public (authfile.c), which parses
${keyfile}-cert.pub until a key is found, loads it, and returns, thus
ignoring any subsequent certificates in the file. The cert filename is
also hardcoded to be ${keyfile}-cert.pub in key_load_cert.

Best wishes,
Ryan

-- 
|_)|_/	Ryan Kavanagh		| Debian Developer
| \| \	http://ryanak.ca/	| GPG Key 4A11C97A