SSH certificates - restricting to host groups

Christian, Mark mark.christian at intel.com
Fri Jan 31 02:02:20 AEDT 2020


On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote:
> As a concrete example: I want Alice to be able to login as "alice"
> and 
> "www" to machines in group "webserver" (only). Also, I want Bob to
> be 
> able to login as "bob" and "www" to machines in group "webserver"
> (only).

Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on
each of the "web servers", where the contents of the alice file include
the principal name alice, the contents of the bob file contain the bob
principal, and the contents of the www file contain the contents alice
and bob?  Wouldn't that allow alice to ssh as alice, and www, and allow
bob to ssh as bob and www to any machines that had this
authorizedPrincipals file configuration?

Mark


More information about the openssh-unix-dev mailing list