Match PubkeyType (sshd_config feature request)
Al
allogenes at posteo.net
Sat Apr 2 08:57:16 AEDT 2022
Hey there,
I've got another feature request :) I would like to be able to add something which looks like this to sshd_config:
```
Match PubkeyType ssh-ed25519-cert-v01 at openssh.com, Address 123.123.0.0/16
AllowGroups ssh-cert-users
Match PubkeyType sk-ssh-ed25519 at openssh.com, Address 234.234.0.0/16
AllowGroups ssh-yubikey-users
```
For background, I already have something like this:
```
AllowGroups public-ssh
Match Address 127.0.0.0/16,localhost,192.168.0.0/16,10.1.0.0/24
AllowGroups private-ssh root
PermitRootLogin prohibit-password
Match Address 10.0.0.0/8
AllowGroups private-ssh
```
So, someone in the private-ssh group usually needs to proxyjump through a public-ssh user (which has a very restricted account.) Now I want to relax it so that the private-sshers can bypass proxyjumping so long as they have a cert.
I thought about something like this:
```
Match Group ssh-cert-users
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com
```
But then (iiuc) they still won't be able to log in unless you give the match an AllowGroup:
```
Match Group ssh-cert-users
AllowGroup ssh-cert-users
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com
```
Which seems circular ... allow the group if they're in the group, what?
And there are other possible complications, like what if they are in both ssh-cert-users and ssh-private, and they use different keys for different purposes? "Match Group" doesn't seem to provide the required flexibility.
There could be other uses too, like before transitioning to a pure cert/sk setup, you can Match deprecated key types to provide those users with a Banner warning. "We will be disabling ssh-rsa and ssh-ed25519 on 2022-06-30. Please remember to switch to sk keys before then."
So after circling around the problem for a while, I keep coming back to the same idea: it would be cool to be able to match the incoming key type, as I see a few interesting uses for this.
Do you think it would be doable?
Al
More information about the openssh-unix-dev
mailing list