SSH certificates - restricting to host groups
Brian Candler
b.candler at pobox.com
Fri Jan 31 00:16:06 AEDT 2020
On 30/01/2020 12:53, Michael Ströder wrote:
> On 1/30/20 1:27 PM, Brian Candler wrote:
>> I am trying to work out the best way to issue SSH certificates in such
>> way that they only allow access to specific usernames*and* only to
>> specific groups of host.
> I also thought about this for a while. The only idea I came up with is
> to have separate CAs used as trust anchor for each host group.
I did think of that, and discounted it as being too ugly :-)
I also thought about using extensions in the user cert - but I couldn't
see a way to get sshd to require the presence of a particular extension
to permit login.
>
> But the other big question is the usability of the process for issuing
> and using the OpenSSH user certs. What's your idea on this?
I hadn't got to the details of the user side, but AFAICS all it requires
is a list of user:hostgroup principals to include in the cert for a
given user. This could be kept directly as an attribute of the user, or
you could generate it via a level of indirection (user -> group; group
-> list of principals or principal suffixes)
At the host side, I was thinking of authorizing principals based on the
machine's "role" in Netbox, which we use as inventory database:
#!/bin/sh
echo "$1:{{ device_role }}"
echo "$1:all"
Regards,
Brian.
More information about the openssh-unix-dev
mailing list