SSH certificates - restricting to host groups

Brian Candler b.candler at
Fri Jan 31 03:45:39 AEDT 2020

On 30/01/2020 16:41, Peter Moody wrote:
> this is the right answer. you want to use AuthorizedPrincipalsFile (or
> AuthorizedPrincipalsCommand if your authz information needs to change
> on a quicker cadence than your config pushes) on the machines.
> you'd have something like
> $ cat /etc/ssh/sshd_config
> <snip>
> TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys
> Match User www
>    AuthorizedKeysFile /etc/ssh/empty
>    AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals
> <snip>
> $ cat /etc/ssh/www_authorized_principals
> alice
> bob
> and alice and bob just have regular user certificates with 'alice' or
> 'bob' in the princpals

But that doesn't solve the other part of my problem, which is that alice 
and bob's certificates should only be usable for logging in to a 
specific group of hosts - even as their own username "alice" or "bob".

More information about the openssh-unix-dev mailing list