SSH certificates - restricting to host groups
Brian Candler
b.candler at pobox.com
Fri Jan 31 03:45:39 AEDT 2020
On 30/01/2020 16:41, Peter Moody wrote:
> this is the right answer. you want to use AuthorizedPrincipalsFile (or
> AuthorizedPrincipalsCommand if your authz information needs to change
> on a quicker cadence than your config pushes) on the machines.
>
> you'd have something like
>
> $ cat /etc/ssh/sshd_config
>
> <snip>
> TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys
>
> Match User www
> AuthorizedKeysFile /etc/ssh/empty
> AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals
> <snip>
>
> $ cat /etc/ssh/www_authorized_principals
> alice
> bob
>
> and alice and bob just have regular user certificates with 'alice' or
> 'bob' in the princpals
But that doesn't solve the other part of my problem, which is that alice
and bob's certificates should only be usable for logging in to a
specific group of hosts - even as their own username "alice" or "bob".
More information about the openssh-unix-dev
mailing list