SSH certificates - restricting to host groups
Michael Ströder
michael at stroeder.com
Fri Jan 31 03:05:26 AEDT 2020
On 1/30/20 2:16 PM, Brian Candler wrote:
> On 30/01/2020 12:53, Michael Ströder wrote:
>> But the other big question is the usability of the process for issuing
>> and using the OpenSSH user certs. What's your idea on this?
>
> I hadn't got to the details of the user side, but AFAICS all it requires
> is a list of user:hostgroup principals to include in the cert for a
> given user. This could be kept directly as an attribute of the user, or
> you could generate it via a level of indirection (user -> group; group
> -> list of principals or principal suffixes)
Adding authz information to user certs means that you need to renew the
cert if the authz information changes during cert life-time. This can be
annoying for users.
How long should your user certs be valid?
You have to maintain this user-hostgroup relationship somewhere. Is it
possible for your system to query this information?
YMMV.
Ciao, Michael.
More information about the openssh-unix-dev
mailing list