SSH certificates - restricting to host groups

Michael Ströder michael at
Thu Jan 30 23:53:30 AEDT 2020

On 1/30/20 1:27 PM, Brian Candler wrote:
> I am trying to work out the best way to issue SSH certificates in such
> way that they only allow access to specific usernames *and* only to
> specific groups of host.

I also thought about this for a while. The only idea I came up with is
to have separate CAs used as trust anchor for each host group. But it
was not urgent for me because I have an authorization based on host
groups enforced by the user management anyway.

> Now I am thinking I need to do something like this:
> ssh-keygen ... -n alice:webserver,www:webserver ...
> ssh-keygen ... -n bob:webserver,www:webserver ...
> with an AuthorizedPrincipalsCommand such as:
> #!/bin/sh
> echo "$1:webserver"
> echo "$1:anywhere"

Haven't though about using a specific AuthorizedPrincipalsCommand script.

But the other big question is the usability of the process for issuing
and using the OpenSSH user certs. What's your idea on this?

Ciao, Michael.

More information about the openssh-unix-dev mailing list