AuthenticationMethods for ssh certificate

Rory Campbell-Lange rory at
Thu Feb 4 19:09:00 AEDT 2021

On 03/02/21, Jim Knoble (jmknoble at wrote:
> What other %-tokens are available with AuthorizedKeysCommand? Could
> you pass one or more of them to /pull/a/single/key in order to enable
> a single key that differs per user or per client host or whatever the
> criteria are?

AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
That is, the key/certificate fingerprint, home directory of the user,
base64 key or certificate key, key type, numeric user id or username.

Although this probably isn't appropriate for Wim's use-case, the use of
certificate principals could be considered. One can use the
AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser and
AuthorizedPrincipalsFile to control access based on the permitted
principal names specified in a certificate.

Additionally user identification can be embedded in a certificate.

I guess if one trusts the certificate issuer to only issue certificates
to valid public key holders, and where the certificate is scoped by
principal, the requirement to also validate the original public key on
the target ssh host falls away.

Regretfully, I've been unable to convince my team to trust the use of
certificates sufficiently to do this(!)


More information about the openssh-unix-dev mailing list