SSH certificates - restricting to host groups

Peter Moody mindrot at
Fri Jan 31 03:41:09 AEDT 2020

On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark
<mark.christian at> wrote:
> On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote:
> > As a concrete example: I want Alice to be able to login as "alice"
> > and
> > "www" to machines in group "webserver" (only). Also, I want Bob to
> > be
> > able to login as "bob" and "www" to machines in group "webserver"
> > (only).
> Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on
> each of the "web servers", where the contents of the alice file include
> the principal name alice, the contents of the bob file contain the bob
> principal, and the contents of the www file contain the contents alice
> and bob?  Wouldn't that allow alice to ssh as alice, and www, and allow
> bob to ssh as bob and www to any machines that had this
> authorizedPrincipals file configuration?

this is the right answer. you want to use AuthorizedPrincipalsFile (or
AuthorizedPrincipalsCommand if your authz information needs to change
on a quicker cadence than your config pushes) on the machines.

you'd have something like

$ cat /etc/ssh/sshd_config

TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys

Match User www
  AuthorizedKeysFile /etc/ssh/empty
  AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals

$ cat /etc/ssh/www_authorized_principals

and alice and bob just have regular user certificates with 'alice' or
'bob' in the princpals

More information about the openssh-unix-dev mailing list