SSH certificates - restricting to host groups

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,


I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host.


As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and "www" to machines in group "webserver" (only).


I have been through the ssh-keygen and sshd_config manpages, and various blog postings, in particular Facebook's one here: <https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/>. However, if I issue certs with

ssh-keygen ... -n alice,www,group-webserver ...

ssh-keygen ... -n bob,www,group-webserver ...

and I include "group-webserver" in AuthorizedPrincipalsFile for alice, it lets bob login as alice (as per documentation, and also tested).


Now I am thinking I need to do something like this:

ssh-keygen ... -n alice:webserver,www:webserver ...

ssh-keygen ... -n bob:webserver,www:webserver ...

with an AuthorizedPrincipalsCommand such as:


#!/bin/sh
echo "$1:webserver"
echo "$1:anywhere"


Is this the best approach, or am I missing a trick?  I'm surprised I couldn't find someone had already done this and blogged about it.


Thanks,

Brian.


P.S. A minor clarification for the documentation: if AuthorizedPrincipalsFile does not exist, or is empty, it wasn't immediately clear to me if ssh falls back to the same as "AuthorizedPrincipalsFile none", or rejects all access.  By experimentation, it rejects all access, which is very reasonable - but it might be worth a mention nonetheless.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux