SSH certificates - restricting to host groups

Brian Candler b.candler at
Sat Feb 1 01:52:13 AEDT 2020

On 31/01/2020 14:29, Michael Ströder wrote:
> Hmm, personally I'd recommend not to issue user certs for generic user
> names (e.g. "www"). While some cert information is logged by sshd it
> requires keeping track of all issued certs in searchable data store to
> be able to properly map logins to personal user accounts during an audit.

I thought that was the point of the certificate "identity" (-I) in 
addition to the "principals" (-n).  The login shows the certificate 

Jan 30 11:50:49 test1 sshd[4757]: Accepted publickey for alice from 
2001_db8::2009 port 56943 ssh2: RSA-CERT ID brian (serial 1) CA RSA 

In this case, the cert identity was "brian"; cert principals were 
"alice" and "www"; ssh login was as user "alice".

It's still a good idea to keep track of all issued certs though, in case 
you need to revoke one.



More information about the openssh-unix-dev mailing list