AuthenticationMethods for ssh certificate
asymptosis
asymptosis at posteo.net
Thu Feb 4 08:49:49 AEDT 2021
>it looks like there are a number of ways you can do this:
>
> 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set
>AuthorizedKeysFile to something like /etc/ssh/empty
>
> 2. You can set PubkeyAcceptedKeyTypes to a cert type.
>
>I think both of these will work either globally or in a Match block.
Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users:
```
AuthorizedPrincipalsFile /etc/ssh/principals/%u
TrustedUserCAKeys /etc/ssh/ca.pub
AllowGroups public-ssh
AuthorizedKeysFile none
AuthorizedKeysCommand /sbin/authorized_keys
AuthorizedKeysCommandUser nobody
AuthenticationMethods publickey
PubkeyAuthentication yes
Match Address 10.0.0.0/8
AllowGroups private-ssh root
PermitRootLogin prohibit-password
Match User git
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519
```
More information about the openssh-unix-dev
mailing list