Hello,
I am trying to work out the best way to issue SSH certificates in such
way that they only allow access to specific usernames *and* only to
specific groups of host.
As a concrete example: I want Alice to be able to login as "alice" and
"www" to machines in group "webserver" (only). Also, I want Bob to be
able to login as "bob" and "www" to machines in group "webserver" (only).
I have been through the ssh-keygen and sshd_config manpages, and various
blog postings, in particular Facebook's one here:
<https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/>.
However, if I issue certs with
ssh-keygen ... -n alice,www,group-webserver ...
ssh-keygen ... -n bob,www,group-webserver ...
and I include "group-webserver" in AuthorizedPrincipalsFile for alice,
it lets bob login as alice (as per documentation, and also tested).
Now I am thinking I need to do something like this:
ssh-keygen ... -n alice:webserver,www:webserver ...
ssh-keygen ... -n bob:webserver,www:webserver ...
with an AuthorizedPrincipalsCommand such as:
#!/bin/sh
echo "$1:webserver"
echo "$1:anywhere"
Is this the best approach, or am I missing a trick? I'm surprised I
couldn't find someone had already done this and blogged about it.
Thanks,
Brian.
P.S. A minor clarification for the documentation: if
AuthorizedPrincipalsFile does not exist, or is empty, it wasn't
immediately clear to me if ssh falls back to the same as
"AuthorizedPrincipalsFile none", or rejects all access. By
experimentation, it rejects all access, which is very reasonable - but
it might be worth a mention nonetheless.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev