AuthenticationMethods for ssh certificate

Wim S wimsharing at
Thu Feb 4 09:38:19 AEDT 2021

Hm, I don't want to mix them, I want to use the AuthenticationMethods
feature that enforces that the user must have 1 certificate and 1
normal pubkey to be authenticated.
(I don't think that's possible with your suggestions?)

At the moment, users can just put multiple keys in the
~/.ssh/authorized_keys. If they for example put 2 pubkeys there, they
can access the system because the AuthenticationMethods pubkey,pubkey
rule is satisfied.

But I want to have a rule that one of those 2 pubkeys *must* be a
certificate, so the user uses 1 certificate and 1 normal pubkey
instead of 2 normal pubkeys.


Op wo 3 feb. 2021 om 22:49 schreef asymptosis <asymptosis at>:
> >it looks like there are a number of ways you can do this:
> >
> > 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set
> >AuthorizedKeysFile to something like /etc/ssh/empty
> >
> > 2. You can set PubkeyAcceptedKeyTypes to a cert type.
> >
> >I think both of these will work either globally or in a Match block.
> Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users:
> ```
> AuthorizedPrincipalsFile    /etc/ssh/principals/%u
> TrustedUserCAKeys           /etc/ssh/
> AllowGroups                 public-ssh
> AuthorizedKeysFile              none
> AuthorizedKeysCommand       /sbin/authorized_keys
> AuthorizedKeysCommandUser   nobody
> AuthenticationMethods       publickey
> PubkeyAuthentication        yes
> Match Address
> AllowGroups                 private-ssh root
> PermitRootLogin             prohibit-password
> Match User git
> PubkeyAcceptedKeyTypes      ssh-ed25519-cert-v01 at,ssh-ed25519
> ```

More information about the openssh-unix-dev mailing list