AuthenticationMethods for ssh certificate

Peter Moody mindrot at
Thu Feb 4 09:59:15 AEDT 2021

On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing at> wrote:

> This prevents getting into the system if you have control of the MFA
> setup (which is handled by another team) or getting into the system
> without MFA :-)

heh, seems like you all have trust issues :)

more seriously though, without over-engineering this, you I *think*
you could do something like

AuthenticationMethods publickey,publickey
TrustedUserCAKeys /etc/ssh/
AuthorizedKeysFile none
AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys
AuthorizedKeysCommandUser nobody

and then /pull/a/single/key looks like

head -1 $1

or you could store the pubkeys somewhere the user can't control, like
ldap, and use an authorizedkeyscommand to fetch them.

I agree though, if a publickey:certificate option existed, it'd be a
lot cleaner.

More information about the openssh-unix-dev mailing list