destination-address in a ssh certificate
Brian Candler
b.candler at pobox.com
Wed Oct 15 03:49:20 AEDT 2025
On 14/10/2025 16:43, Briner Cédric (DIN) via openssh-unix-dev wrote:
> We are wanting to use ssh certificate. We would like to create a certificate that tells this ssh pub key can only connect to this server with this account.
>
> Reading the manual, we have the strong feeling that what could be inserted in the certificate are the information that used to be in the authorized_keys.
>
> But historically speaking, they were no need need, at that time, to have a field named "destination-address" as this was implicit. That information wasn't needed as the authorized_keys instructed only one machine, The machine where the authorized_keys was installed on.
>
> So how could I do this ?
You can insert principals into the certificate, together with the
AuthorizedPrincipalsCommand.
For example, suppose you have:
AuthorizedPrincipalsCommand /etc/ssh/principals.sh %u
AuthorizedPrincipalsCommandUser nobody
where /etc/ssh/principals.sh looks like:
#!/bin/sh -eu
echo "$1@`hostname -f`"
echo "$1 at +webserver"
Then if you make an ssh connection like "ssh brian at www1.example.com",
you will be granted access if your certificate contains principal
"brian at www1.example.com" or "brian at +webserver"
More information about the openssh-unix-dev
mailing list