Re: SSH certificates - restricting to host groups

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 30/01/2020 12:53, Michael Ströder wrote:
On 1/30/20 1:27 PM, Brian Candler wrote:
I am trying to work out the best way to issue SSH certificates in such
way that they only allow access to specific usernames*and*  only to
specific groups of host.
I also thought about this for a while. The only idea I came up with is
to have separate CAs used as trust anchor for each host group.

I did think of that, and discounted it as being too ugly :-)

I also thought about using extensions in the user cert - but I couldn't see a way to get sshd to require the presence of a particular extension to permit login.


But the other big question is the usability of the process for issuing
and using the OpenSSH user certs. What's your idea on this?

I hadn't got to the details of the user side, but AFAICS all it requires is a list of user:hostgroup principals to include in the cert for a given user.  This could be kept directly as an attribute of the user, or you could generate it via a level of indirection (user -> group; group -> list of principals or principal suffixes)

At the host side, I was thinking of authorizing principals based on the machine's "role" in Netbox, which we use as inventory database:

#!/bin/sh
echo "$1:{{ device_role }}"
echo "$1:all"

Regards,

Brian.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux