Using multiple certificates for a given private key

Damien Miller djm at mindrot.org
Thu Sep 5 14:21:33 EST 2013


On Wed, 4 Sep 2013, Ryan Kavanagh wrote:

> Hi,
> 
> I'm experimenting with certificates for users, giving access via the
> TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of
> one certificate per SSH key on the user's side, which prevents using the
> same key for hosts using different TrustedUserCAKeys. Is there a clean
> way around this?

The easiest way to have multiple certs per private key is to use an agent.
You will still need to copy (or symlink) the private key for each cert
but you will need to enter the passphrase only once.

> A collection of hosts is partitioned into A hosts and B hosts, and we
> have a CA key for the A hosts and one for the B hosts. Bob is a special
> user and is granted access to hosts in both the A and the B clusters,
> and so after sending his id_ecdsa.pub public key to the A and B CA key
> maintainers, gets back two id_ecdsa-cert.pub certificates, one granting
> him access to the A cluster, the other to the B cluster.

I'd try to solve this with principals and/or authorized_principals files.
E.g. setting the certificate's principals list to
"bob at clusterA,bob at clusterB" (or one of the entries alone) and creating
principals files (or a single file) containing "%u at clusterA" or
"%u at clusterB"

> Is there any resolution for Bob short of making two copies of
> ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsaA and ~/.ssh/id_ecdsaB, and similarly
> for ~/.ssh/id_ecdsa.pub, and placing the A and B certificates at
> ~/.ssh/id_ecdsaA-cert.pub and ~/.ssh/id_ecdsaB-cert.pub respectively,
> thereby creating two copies of the key, each with its own certificate?

Not at present.

> Looking at the source code, it looks as though not: key_load_cert
> (authfile.c) calls key_try_load_public (authfile.c), which parses
> ${keyfile}-cert.pub until a key is found, loads it, and returns, thus
> ignoring any subsequent certificates in the file. The cert filename is
> also hardcoded to be ${keyfile}-cert.pub in key_load_cert.

Right. I'd accept patches to allow multiple certificates in the -cert.pub
file though by making key_load_cert return multiple Keys.

-d


More information about the openssh-unix-dev mailing list