SSH certificates - restricting to host groups

[Brian Candler]

Hello,


I am trying to work out the best way to issue SSH certificates in such 
way that they only allow access to specific usernames *and* only to 
specific groups of host.


As a concrete example: I want Alice to be able to login as "alice" and 
"www" to machines in group "webserver" (only). Also, I want Bob to be 
able to login as "bob" and "www" to machines in group "webserver" (only).


I have been through the ssh-keygen and sshd_config manpages, and various 
blog postings, in particular Facebook's one here: 
<https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/>. 
However, if I issue certs with

ssh-keygen ... -n alice,www,group-webserver ...

ssh-keygen ... -n bob,www,group-webserver ...

and I include "group-webserver" in AuthorizedPrincipalsFile for alice, 
it lets bob login as alice (as per documentation, and also tested).


Now I am thinking I need to do something like this:

ssh-keygen ... -n alice:webserver,www:webserver ...

ssh-keygen ... -n bob:webserver,www:webserver ...

with an AuthorizedPrincipalsCommand such as:


#!/bin/sh
echo "$1:webserver"
echo "$1:anywhere"


Is this the best approach, or am I missing a trick?  I'm surprised I 
couldn't find someone had already done this and blogged about it.


Thanks,

Brian.


P.S. A minor clarification for the documentation: if 
AuthorizedPrincipalsFile does not exist, or is empty, it wasn't 
immediately clear to me if ssh falls back to the same as 
"AuthorizedPrincipalsFile none", or rejects all access.  By 
experimentation, it rejects all access, which is very reasonable - but 
it might be worth a mention nonetheless.