AuthenticationMethods for ssh certificate
Peter Moody
mindrot at hda3.com
Thu Feb 4 09:59:15 AEDT 2021
On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing at gmail.com> wrote:
> This prevents getting into the system if you have control of the MFA
> setup (which is handled by another team) or getting into the system
> without MFA :-)
heh, seems like you all have trust issues :)
more seriously though, without over-engineering this, you I *think*
you could do something like
AuthenticationMethods publickey,publickey
TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub
AuthorizedKeysFile none
AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys
AuthorizedKeysCommandUser nobody
and then /pull/a/single/key looks like
#!/bin/bash
head -1 $1
or you could store the pubkeys somewhere the user can't control, like
ldap, and use an authorizedkeyscommand to fetch them.
I agree though, if a publickey:certificate option existed, it'd be a
lot cleaner.
More information about the openssh-unix-dev
mailing list