SSH certificate and serverside ForceCommand

Brian Candler b.candler at
Wed Jun 24 02:38:57 AEST 2020

On 23/06/2020 16:11, Alejandro Dabin wrote:
> As a side note, more information about the certificate (issue and
> expiration time) could be useful for auditing. It would be useful too if
> the server could log it (aside from CA, certificate serial, etc), but
> couldn't find any option either.

AuthorizedPrincipalsCommand can use a number of tokens which are expanded:

            %%    A literal `%'.
            %F    The fingerprint of the CA key.
            %f    The fingerprint of the key or certificate.
            %h    The home directory of the user.
            %i    The key ID in the certificate.
            %K    The base64-encoded CA key.
            %k    The base64-encoded key or certificate for authentication.
            %s    The serial number of the certificate.
            %T    The type of the CA key.
            %t    The key or certificate type.
            %U    The numeric user ID of the target user.
            %u    The username.

More information about the openssh-unix-dev mailing list