On 30/01/2020 12:53, Michael Ströder wrote:
On 1/30/20 1:27 PM, Brian Candler wrote:
I am trying to work out the best way to issue SSH certificates in such
way that they only allow access to specific usernames*and* only to
specific groups of host.
I also thought about this for a while. The only idea I came up with is
to have separate CAs used as trust anchor for each host group.
I did think of that, and discounted it as being too ugly :-)
I also thought about using extensions in the user cert - but I couldn't
see a way to get sshd to require the presence of a particular extension
to permit login.
But the other big question is the usability of the process for issuing
and using the OpenSSH user certs. What's your idea on this?
I hadn't got to the details of the user side, but AFAICS all it requires
is a list of user:hostgroup principals to include in the cert for a
given user. This could be kept directly as an attribute of the user, or
you could generate it via a level of indirection (user -> group; group
-> list of principals or principal suffixes)
At the host side, I was thinking of authorizing principals based on the
machine's "role" in Netbox, which we use as inventory database:
#!/bin/sh
echo "$1:{{ device_role }}"
echo "$1:all"
Regards,
Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
