SSH certificates - restricting to host groups

Brian Candler b.candler at pobox.com
Fri Jan 31 04:06:04 AEDT 2020


On 30/01/2020 16:48, Christian, Mark wrote:
> > However, when alice is no longer authorized, and assuming her cert is
> > still valid, you're going to want to use some configuration mgmt to
> > manage RevokedKeys, otherwise ensure that alice's cert is valid for a
> > short period of time. 

Indeed: I was intending to use a cronjob to fetch a CRL, as suggested at

https://github.com/nsheridan/cashier#revoking-certificates


> AllowGroups, AllowUsers in sshd_config.  /etc/security/access.conf or
> equivalent.  These are the ways to limit access to systems where bob
> and alice are not authorized.

So if I understand you correctly, you're saying "SSH certificates are not intended to be used to carry authorization information".

In general, there is a sound argument for keeping authentication separate from authorization.  On the other hand, it does make me wonder why there is support for multiple principals in one SSH certificate.

Regards,

Brian.



More information about the openssh-unix-dev mailing list