SSH certificates - restricting to host groups

Christian, Mark mark.christian at intel.com
Fri Jan 31 03:52:50 AEDT 2020


On Thu, 2020-01-30 at 16:45 +0000, Brian Candler wrote:
> On 30/01/2020 16:41, Peter Moody wrote:
> > this is the right answer. you want to use AuthorizedPrincipalsFile
> > (or
> > AuthorizedPrincipalsCommand if your authz information needs to
> > change
> > on a quicker cadence than your config pushes) on the machines.
> > 
> > you'd have something like
> > 
> > $ cat /etc/ssh/sshd_config
> > 
> > <snip>
> > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys
> > 
> > Match User www
> >    AuthorizedKeysFile /etc/ssh/empty
> >    AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals
> > <snip>
> > 
> > $ cat /etc/ssh/www_authorized_principals
> > alice
> > bob
> > 
> > and alice and bob just have regular user certificates with 'alice'
> > or
> > 'bob' in the princpals
> 
> But that doesn't solve the other part of my problem, which is that
> alice 
> and bob's certificates should only be usable for logging in to a 
> specific group of hosts - even as their own username "alice" or
> "bob".

AllowGroups, AllowUsers in sshd_config.  /etc/security/access.conf or
equivalent.  These are the ways to limit access to systems where bob
and alice are not authorized.

Mark



More information about the openssh-unix-dev mailing list