AuthenticationMethods for ssh certificate

Wim S wimsharing at gmail.com
Thu Feb 4 09:38:19 AEDT 2021


Hm, I don't want to mix them, I want to use the AuthenticationMethods
feature that enforces that the user must have 1 certificate and 1
normal pubkey to be authenticated.
(I don't think that's possible with your suggestions?)

At the moment, users can just put multiple keys in the
~/.ssh/authorized_keys. If they for example put 2 pubkeys there, they
can access the system because the AuthenticationMethods pubkey,pubkey
rule is satisfied.

But I want to have a rule that one of those 2 pubkeys *must* be a
certificate, so the user uses 1 certificate and 1 normal pubkey
instead of 2 normal pubkeys.

Wim


Op wo 3 feb. 2021 om 22:49 schreef asymptosis <asymptosis at posteo.net>:
>
> >it looks like there are a number of ways you can do this:
> >
> > 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set
> >AuthorizedKeysFile to something like /etc/ssh/empty
> >
> > 2. You can set PubkeyAcceptedKeyTypes to a cert type.
> >
> >I think both of these will work either globally or in a Match block.
>
> Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users:
>
> ```
> AuthorizedPrincipalsFile    /etc/ssh/principals/%u
> TrustedUserCAKeys           /etc/ssh/ca.pub
>
> AllowGroups                 public-ssh
> AuthorizedKeysFile              none
> AuthorizedKeysCommand       /sbin/authorized_keys
> AuthorizedKeysCommandUser   nobody
>
> AuthenticationMethods       publickey
> PubkeyAuthentication        yes
>
> Match Address 10.0.0.0/8
> AllowGroups                 private-ssh root
> PermitRootLogin             prohibit-password
>
> Match User git
> PubkeyAcceptedKeyTypes      ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519
> ```


More information about the openssh-unix-dev mailing list