AuthenticationMethods for ssh certificate

asymptosis asymptosis at posteo.net
Thu Feb 4 09:55:53 AEDT 2021


>It's actually 2 factors in our setup, the ssh certificate is created
>using MFA (and have a short lifetime), and the pubkey is the users own
>private key.
>
>This prevents getting into the system if you have control of the MFA
>setup (which is handled by another team) or getting into the system
>without MFA :-)

My understanding was the certificate can only be used in conjunction with the user's private key anyway? So I think what you're after already happens automatically.

Eg I have a user set up like this:

$ ls .ssh
config  id_ed25519  id_ed25519-cert.pub  id_ed25519.pub  known_hosts

$ cat .ssh/config
Host repos
User git
Hostname 10.0.0.1
PasswordAuthentication no
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com
StrictHostKeyChecking accept-new
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes

When I move the id_ed25519 out of ~/.ssh, I get permission denied:

$ ssh repos
no such identity: <home-directory>/.ssh/id_ed25519: No such file or directory
git at 10.0.0.1: Permission denied (publickey).


More information about the openssh-unix-dev mailing list