AuthenticationMethods for ssh certificate

Jim Knoble jmknoble at pobox.com
Thu Feb 4 16:42:29 AEDT 2021


What other %-tokens are available with AuthorizedKeysCommand? Could you pass one or more of them to /pull/a/single/key in order to enable a single key that differs per user or per client host or whatever the criteria are?

> On Feb 3, 2021, at 15:21, Wim S <wimsharing at gmail.com> wrote:
> 
> I thought of something similar, but the user said "but I want to have
> multiple ssh keys because I use different keys on different devices"
> :/
> 
> Op wo 3 feb. 2021 om 23:59 schreef Peter Moody <mindrot at hda3.com>:
>> 
>>> On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing at gmail.com> wrote:
>>> 
>>> This prevents getting into the system if you have control of the MFA
>>> setup (which is handled by another team) or getting into the system
>>> without MFA :-)
>> 
>> heh, seems like you all have trust issues :)
>> 
>> more seriously though, without over-engineering this, you I *think*
>> you could do something like
>> 
>> AuthenticationMethods publickey,publickey
>> TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub
>> AuthorizedKeysFile none
>> AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys
>> AuthorizedKeysCommandUser nobody
>> 
>> and then /pull/a/single/key looks like
>> 
>> #!/bin/bash
>> head -1 $1
>> 
>> or you could store the pubkeys somewhere the user can't control, like
>> ldap, and use an authorizedkeyscommand to fetch them.
>> 
>> I agree though, if a publickey:certificate option existed, it'd be a
>> lot cleaner.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list