Non-shell accounts and scp/sftp
Philip Prindeville
philipp_subx at redfish-solutions.com
Sat Dec 9 03:24:55 AEDT 2023
> On Dec 8, 2023, at 8:53 AM, Rory Campbell-Lange <rory at campbell-lange.net> wrote:
>
> On 07/12/23, Philip Prindeville (philipp_subx at redfish-solutions.com) wrote:
>> We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host.
>
> Off topic, and assuming the .p12 bundles need to be post-processed by clients for use by ssh, might it not be worth considering an ssh certificate signing authority?
Actually they're TLS client certificates for HTTPS/RESTCONF access to the appliance.
> I've made the proof-of-concept noted below, which adds certificates to forwarded agents. It doesn't need shell accounts, but prsently requires ssh public keys to be added to a yaml file:
>
> https://github.com/rorycl/sshagentca
>
> Cheers,
> Rory
More information about the openssh-unix-dev
mailing list