SSH certificates - restricting to host groups

Peter Moody mindrot at
Fri Jan 31 04:02:04 AEDT 2020

On Thu, Jan 30, 2020 at 8:45 AM Brian Candler <b.candler at> wrote:
> On 30/01/2020 16:41, Peter Moody wrote:
> > this is the right answer. you want to use AuthorizedPrincipalsFile (or
> > AuthorizedPrincipalsCommand if your authz information needs to change
> > on a quicker cadence than your config pushes) on the machines.
> >
> > you'd have something like
> >
> > $ cat /etc/ssh/sshd_config
> >
> > <snip>
> > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys
> >
> > Match User www
> >    AuthorizedKeysFile /etc/ssh/empty
> >    AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals
> > <snip>
> >
> > $ cat /etc/ssh/www_authorized_principals
> > alice
> > bob
> >
> > and alice and bob just have regular user certificates with 'alice' or
> > 'bob' in the princpals
> But that doesn't solve the other part of my problem, which is that alice
> and bob's certificates should only be usable for logging in to a
> specific group of hosts - even as their own username "alice" or "bob".

on any machine that has those two snippets above, 'alice' and 'bob'
will be able to log in as 'www'. If user accounts for 'alice' and
'bob' exist on those same machines, 'alice' and 'bob' will be able to
log in as only 'alice' and 'bob' respectively (ie, a certificate with
'alice' can be used to authenticate as the alice user and a
certificate with 'bob' can be used to authenticate as the 'bob' user).

the posix user accounts don't need to exist on a given machine to use
the AuthorizedPrincipalsFile/AuthorizedPrincipalsCommand for logging
in as a shared user. If you're saying that you don't want 'alice' or
'bob' to be able to log into the webserver machines as alice or bob,
then don't create those accounts, but they can still use their
certificates with the AuthorizedPrincipalsFile to get access to www

More information about the openssh-unix-dev mailing list