AuthenticationMethods for ssh certificate

Peter Moody mindrot at
Thu Feb 4 05:22:48 AEDT 2021

On Wed, Feb 3, 2021 at 4:32 AM Wim S <wimsharing at> wrote:

> I don't seem to find a way to specify that one of the pubkey in
> AuthenticationMethods pubkey,pubkey should be a valid ssh certificate.
> Is there maybe any other way to enforce this ?

it looks like there are a number of ways you can do this:

 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set
AuthorizedKeysFile to something like /etc/ssh/empty

 2. You can set PubkeyAcceptedKeyTypes to a cert type.

I think both of these will work either globally or in a Match block.

More information about the openssh-unix-dev mailing list