would it be possible to extend TrustedUserCAKeys so that certain keys could not be used to authenticate a particular user?

Peter Moody mindrot at hda3.com
Tue Jun 2 04:47:30 AEST 2020

i might be misunderstanding the question, but wouldn't something like this work?

Match Group unprivileged
  TrustedUserCAKeys /etc/ssh/unprivilged_pub_key

Match User root
  TrustedUserCAKeys /etc/ssh/priviledged_pub_key

On Mon, Jun 1, 2020 at 11:36 AM Christian, Mark
<mark.christian at intel.com> wrote:
> Wondering if it would make sense to have more granular control of
> trustedUserCAkeys?  I have 1 key used to sign root certs, the key is
> shortlived, and is rotated daily.  And I have a 2nd key to sign non-
> privileged user certs.  The non-privileged certs have a longer validity
> period, and the signing keys are not rotated as frequently.  It would
> be nice to ensure this second signing key's associated pubkey in
> trustedusercakeys is never consulted when a root certificate is
> presented, perhaps via some form of blacklisting within the
> trustedusercakeys file?  This would provide some assurance that the
> theft of the second key could not be used to sign root certificates and
> be accepted for the systems I manage.
> Mark Christian
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list