add keys and certificate to forwarded agent on remote host

Michael Ströder michael at stroeder.com
Fri Sep 21 20:16:48 AEST 2018


On 9/20/18 9:41 PM, Rory Campbell-Lange wrote:
> The missing piece in the puzzle for our use case is extracting the user
> from the connection by pairing their connection key to one in a user
> database without having to create a local user for each remote ssh user
> on the authenticating server. I assume the usshca ssh server deals with
> this by allowing "username at usshca" connections for all known users?

Maybe I'm missing your point. But IMHO the prerequisite for using a
SSH-CA is a decent user management with secure user authentication to be
used for identity check *before* even issuing the user cert.

Personally I'm using my own LDAP user management which supports 2FA
(HOTP) also used for POSIX account/group data. But any other such user
management will do.

Ciao, Michael.


More information about the openssh-unix-dev mailing list