AuthenticationMethods for ssh certificate

asymptosis asymptosis at posteo.net
Thu Feb 4 08:49:49 AEDT 2021


>it looks like there are a number of ways you can do this:
>
> 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set
>AuthorizedKeysFile to something like /etc/ssh/empty
>
> 2. You can set PubkeyAcceptedKeyTypes to a cert type.
>
>I think both of these will work either globally or in a Match block.

Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users:

```
AuthorizedPrincipalsFile    /etc/ssh/principals/%u
TrustedUserCAKeys           /etc/ssh/ca.pub

AllowGroups                 public-ssh
AuthorizedKeysFile	        none
AuthorizedKeysCommand       /sbin/authorized_keys
AuthorizedKeysCommandUser   nobody

AuthenticationMethods       publickey
PubkeyAuthentication        yes

Match Address 10.0.0.0/8
AllowGroups                 private-ssh root
PermitRootLogin             prohibit-password

Match User git
PubkeyAcceptedKeyTypes      ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519
```


More information about the openssh-unix-dev mailing list