SSH certificates - restricting to host groups

Michael Ströder michael at
Fri Jan 31 03:05:26 AEDT 2020

On 1/30/20 2:16 PM, Brian Candler wrote:
> On 30/01/2020 12:53, Michael Ströder wrote:
>> But the other big question is the usability of the process for issuing
>> and using the OpenSSH user certs. What's your idea on this?
> I hadn't got to the details of the user side, but AFAICS all it requires
> is a list of user:hostgroup principals to include in the cert for a
> given user.  This could be kept directly as an attribute of the user, or
> you could generate it via a level of indirection (user -> group; group
> -> list of principals or principal suffixes)

Adding authz information to user certs means that you need to renew the
cert if the authz information changes during cert life-time. This can be
annoying for users.

How long should your user certs be valid?

You have to maintain this user-hostgroup relationship somewhere. Is it
possible for your system to query this information?


Ciao, Michael.

More information about the openssh-unix-dev mailing list