SSH certificates - restricting to host groups
Christian, Mark
mark.christian at intel.com
Fri Jan 31 03:52:50 AEDT 2020
On Thu, 2020-01-30 at 16:45 +0000, Brian Candler wrote:
> On 30/01/2020 16:41, Peter Moody wrote:
> > this is the right answer. you want to use AuthorizedPrincipalsFile
> > (or
> > AuthorizedPrincipalsCommand if your authz information needs to
> > change
> > on a quicker cadence than your config pushes) on the machines.
> >
> > you'd have something like
> >
> > $ cat /etc/ssh/sshd_config
> >
> > <snip>
> > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys
> >
> > Match User www
> > AuthorizedKeysFile /etc/ssh/empty
> > AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals
> > <snip>
> >
> > $ cat /etc/ssh/www_authorized_principals
> > alice
> > bob
> >
> > and alice and bob just have regular user certificates with 'alice'
> > or
> > 'bob' in the princpals
>
> But that doesn't solve the other part of my problem, which is that
> alice
> and bob's certificates should only be usable for logging in to a
> specific group of hosts - even as their own username "alice" or
> "bob".
AllowGroups, AllowUsers in sshd_config. /etc/security/access.conf or
equivalent. These are the ways to limit access to systems where bob
and alice are not authorized.
Mark
More information about the openssh-unix-dev
mailing list