AuthenticationMethods for ssh certificate

asymptosis asymptosis at
Thu Feb 4 08:49:49 AEDT 2021

>it looks like there are a number of ways you can do this:
> 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set
>AuthorizedKeysFile to something like /etc/ssh/empty
> 2. You can set PubkeyAcceptedKeyTypes to a cert type.
>I think both of these will work either globally or in a Match block.

Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users:

AuthorizedPrincipalsFile    /etc/ssh/principals/%u
TrustedUserCAKeys           /etc/ssh/

AllowGroups                 public-ssh
AuthorizedKeysFile	        none
AuthorizedKeysCommand       /sbin/authorized_keys
AuthorizedKeysCommandUser   nobody

AuthenticationMethods       publickey
PubkeyAuthentication        yes

Match Address
AllowGroups                 private-ssh root
PermitRootLogin             prohibit-password

Match User git
PubkeyAcceptedKeyTypes      ssh-ed25519-cert-v01 at,ssh-ed25519

More information about the openssh-unix-dev mailing list