On Sat, 16 Feb 2019, Peter Moody wrote: > I suspect the answer to this is no, but say I have a setup where I > have a server with a shared user account and I want anyone with a > valid cert to be able to use that shared user. Is there a wildcard > AuthorizedPrincipal I can specify in my sshd_config to mean, "any > user"? No, they must match exactly. > Alternatively, is there a way I can see the valid principals that the > incoming cert has in the AuthorizedPrincipalsCommand? It didn't appear > to be possible with the available TOKENS. No, you'd have to parse the certificate itself to get at that ATM. > I would like to not have to enumerate every possible user because the > posix accounts don't exist on this shared machine and getting a > complete list of principals should be unnecessary considering our > certificate authority has validated the user(s) IMO the best way to handle this it to put a common principal into every certificate, e.g. "shared-machines" and authorise that principal on the shared machine(s). -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev