Requiring certificate signature and an authorized key to authenticate

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hey everyone,

Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)?

The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user presents a signed key.

The motivation behind this is that I've been looking at using a self-service cert authority that lets users get their keys signed by the CA in a restricted way, e.g. be IP locked, have expiry times, requires third party approval to get access to certain hosts, etc. However, I'm uncomfortable having a single server have the CA cert, since if the box gets owned they get credentials to access everything. Hence wondering if we could require having both a valid key *and* a valid signature from the CA, as then having the cert by itself is useless.

Thoughts and suggestions welcome, including that this sounds like a terrible idea and I'm doing it wrong.


Thanks,
Erik
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux