On 1/30/20 1:27 PM, Brian Candler wrote: > I am trying to work out the best way to issue SSH certificates in such > way that they only allow access to specific usernames *and* only to > specific groups of host. I also thought about this for a while. The only idea I came up with is to have separate CAs used as trust anchor for each host group. But it was not urgent for me because I have an authorization based on host groups enforced by the user management anyway. > Now I am thinking I need to do something like this: > ssh-keygen ... -n alice:webserver,www:webserver ... > ssh-keygen ... -n bob:webserver,www:webserver ... > with an AuthorizedPrincipalsCommand such as: > > #!/bin/sh > echo "$1:webserver" > echo "$1:anywhere" Haven't though about using a specific AuthorizedPrincipalsCommand script. But the other big question is the usability of the process for issuing and using the OpenSSH user certs. What's your idea on this? Ciao, Michael. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
