Hi, I think that adding an extension to the certificate as it is done for source-address validation can be one way. Currently, as it is necessary to support different versions of OpenSSH, we have developed GSH that uses AuthorizedPrincipalsCommand to validate whether the certificate was issued to the destination in question. You can add a script at AuthorizedPrincipalsCommand to validate an extension. GSH: https://github.com/globocom/gsh Regards, Em qui, 30 de jan de 2020 às 10:16, Brian Candler <b.candler@xxxxxxxxx> escreveu: > On 30/01/2020 12:53, Michael Ströder wrote: > > On 1/30/20 1:27 PM, Brian Candler wrote: > >> I am trying to work out the best way to issue SSH certificates in such > >> way that they only allow access to specific usernames*and* only to > >> specific groups of host. > > I also thought about this for a while. The only idea I came up with is > > to have separate CAs used as trust anchor for each host group. > > I did think of that, and discounted it as being too ugly :-) > > I also thought about using extensions in the user cert - but I couldn't > see a way to get sshd to require the presence of a particular extension > to permit login. > > > > > But the other big question is the usability of the process for issuing > > and using the OpenSSH user certs. What's your idea on this? > > I hadn't got to the details of the user side, but AFAICS all it requires > is a list of user:hostgroup principals to include in the cert for a > given user. This could be kept directly as an attribute of the user, or > you could generate it via a level of indirection (user -> group; group > -> list of principals or principal suffixes) > > At the host side, I was thinking of authorizing principals based on the > machine's "role" in Netbox, which we use as inventory database: > > #!/bin/sh > echo "$1:{{ device_role }}" > echo "$1:all" > > Regards, > > Brian. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Manoel Domingues Junior https://keybase.io/mdjunior _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev