SSH certificates - restricting to host groups

Brian Candler b.candler at
Fri Jan 31 03:23:53 AEDT 2020

On 30/01/2020 13:31, Manoel Domingues Junior wrote:
> I think that adding an extension to the certificate as it is done for
> source-address validation can be one way.
> Currently, as it is necessary to support different versions of OpenSSH, we
> have developed GSH that uses AuthorizedPrincipalsCommand to validate
> whether the certificate was issued to the destination in question. You can
> add a script at AuthorizedPrincipalsCommand to validate an extension.
> GSH:

I wondered about that, but I couldn't see how 
AuthorizedPrincipalsCommand could get access to the extensions. Looking 
at the latest OpenBSD manpage, I see that %k token has been added (for 
the entire base64-encoded certificate).  That will solve the problem 
once other distros pick this up; Ubuntu 18.04 doesn't have %k.

Thanks also for the pointer to gsh. I see:

AuthorizedPrincipalsCommand /usr/local/bin/gsh-agent check-permission 
--serial-number %s --username %u --api 
--key-id %i --key-fingerprint %f --certificate %k --certificate-type %t

I would therefore expect that if you're using an older version of SSH 
(without %k) that it would have to query the API to find the extensions. 
That would make it a critical service, much like LDAP would be.



More information about the openssh-unix-dev mailing list