On 9/20/18 9:41 PM, Rory Campbell-Lange wrote: > The missing piece in the puzzle for our use case is extracting the user > from the connection by pairing their connection key to one in a user > database without having to create a local user for each remote ssh user > on the authenticating server. I assume the usshca ssh server deals with > this by allowing "username@usshca" connections for all known users? Maybe I'm missing your point. But IMHO the prerequisite for using a SSH-CA is a decent user management with secure user authentication to be used for identity check *before* even issuing the user cert. Personally I'm using my own LDAP user management which supports 2FA (HOTP) also used for POSIX account/group data. But any other such user management will do. Ciao, Michael. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev