Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source

Jakob Schürz wertstoffe at
Thu Jun 4 09:06:24 AEST 2020

Do you know about certificates for openssh?

You create a ca for hostkeys and another for clientkeys.

Then you create a certificate for all of your hostkey-publickeys with
your host-ca.
Publish this certificates to all of your hosts and change the
configuration of sshd to use this certificates also.

Publish the public-key of your user-ca to all hosts.

Publish the pubkey for Host-ca to all your clients.

Then create certificates with user-ca for all of all users Pubkeys. Add
prinzipals (one or more) to this user-certs. Give it to the users.

Change ssh_config to accept only hosts with valid host-certs.

Create mapping-files. Each pam-user gets its own file, where the
principals are listed (one per line), which are allowed to login as this

You dont need to accept a changed hostkey anymore. You can regulate with
principalfile, which user can login as which user. You can also use a
script instead of this files, so ldap or other mechanisms are possible
too via script.

Certs can have a serialnumber and a validydate.. You can revoke by
pubkey the whole user, or revoke by serialnumer.

This is a first entypoint:

Many howtos talk about pubkeys instead of certificates, when you search
on you searchengine. Be careful of your searches. Certificates are using
pubkeys, they are not pubkeys!!



lore ipsum

More information about the openssh-unix-dev mailing list