SSH certificates - restricting to host groups

Manoel Domingues Junior manoel.domingues.junior at
Fri Jan 31 00:31:29 AEDT 2020


I think that adding an extension to the certificate as it is done for
source-address validation can be one way.

Currently, as it is necessary to support different versions of OpenSSH, we
have developed GSH that uses AuthorizedPrincipalsCommand to validate
whether the certificate was issued to the destination in question. You can
add a script at AuthorizedPrincipalsCommand to validate an extension.



Em qui, 30 de jan de 2020 às 10:16, Brian Candler <b.candler at>

> On 30/01/2020 12:53, Michael Ströder wrote:
> > On 1/30/20 1:27 PM, Brian Candler wrote:
> >> I am trying to work out the best way to issue SSH certificates in such
> >> way that they only allow access to specific usernames*and*  only to
> >> specific groups of host.
> > I also thought about this for a while. The only idea I came up with is
> > to have separate CAs used as trust anchor for each host group.
> I did think of that, and discounted it as being too ugly :-)
> I also thought about using extensions in the user cert - but I couldn't
> see a way to get sshd to require the presence of a particular extension
> to permit login.
> >
> > But the other big question is the usability of the process for issuing
> > and using the OpenSSH user certs. What's your idea on this?
> I hadn't got to the details of the user side, but AFAICS all it requires
> is a list of user:hostgroup principals to include in the cert for a
> given user.  This could be kept directly as an attribute of the user, or
> you could generate it via a level of indirection (user -> group; group
> -> list of principals or principal suffixes)
> At the host side, I was thinking of authorizing principals based on the
> machine's "role" in Netbox, which we use as inventory database:
> #!/bin/sh
> echo "$1:{{ device_role }}"
> echo "$1:all"
> Regards,
> Brian.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at
Manoel Domingues Junior

More information about the openssh-unix-dev mailing list