SSH certificates - restricting to host groups

Brian Candler b.candler at
Fri Jan 31 03:37:11 AEDT 2020

On 30/01/2020 15:02, Christian, Mark wrote:
> On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote:
>> As a concrete example: I want Alice to be able to login as "alice"
>> and
>> "www" to machines in group "webserver" (only). Also, I want Bob to
>> be
>> able to login as "bob" and "www" to machines in group "webserver"
>> (only).
> Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on
> each of the "web servers", where the contents of the alice file include
> the principal name alice, the contents of the bob file contain the bob
> principal, and the contents of the www file contain the contents alice
> and bob?  Wouldn't that allow alice to ssh as alice, and www, and allow
> bob to ssh as bob and www to any machines that had this
> authorizedPrincipals file configuration?

Yes, that would work, but then it comes back down to configuration 
management to push out all authorizations (and  more importantly, remove 
them when no longer authorized).  If you're going to do that, it's not 
too far removed from pushing out ~/.ssh/authorized_keys for each user.

I was hoping to avoid the dependency on configuration management by 
carrying the authorization in the certs themselves - if that is in the 
spirit of the SSH cert mechanism.

On 30/01/2020 16:05, Michael Ströder wrote:
> Adding authz information to user certs means that you need to renew the
> cert if the authz information changes during cert life-time. This can be
> annoying for users.
> How long should your user certs be valid?

I think on an initial implementation I'd go with 3-month certs, perhaps 
using a PKCS#11 token like a Yubikey.  You're right that if we have to 
change the authorization for a user, they'd need a new cert.

Eventually it would be nice to move to daily certs with online login 
(e.g. cashier, step-ca) in which case anyone who needs a new cert can 
get it themselves instantly.  The main thing stopping me from doing this 
straight away is your other point:

> You have to maintain this user-hostgroup relationship somewhere. Is it
> possible for your system to query this information?

The inventory system tracks hosts rather than users, but I don't see a 
big problem putting the user-group relationship into LDAP, even if it 
only writes out a flat file periodically.

However, the system which issues the certs needs to be able to do the 
mapping from OIDC claims to SSH cert principals.  I've just been looking 
at step-ca and I don't see a way to do that.  I haven't looked at 
cashier yet, and I only just learned of gsh.



More information about the openssh-unix-dev mailing list