Re: SSH certificates - restricting to host groups

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

I think that adding an extension to the certificate as it is done for
source-address validation can be one way.

Currently, as it is necessary to support different versions of OpenSSH, we
have developed GSH that uses AuthorizedPrincipalsCommand to validate
whether the certificate was issued to the destination in question. You can
add a script at AuthorizedPrincipalsCommand to validate an extension.

GSH: https://github.com/globocom/gsh

Regards,

Em qui, 30 de jan de 2020 às 10:16, Brian Candler <b.candler@xxxxxxxxx>
escreveu:

> On 30/01/2020 12:53, Michael Ströder wrote:
> > On 1/30/20 1:27 PM, Brian Candler wrote:
> >> I am trying to work out the best way to issue SSH certificates in such
> >> way that they only allow access to specific usernames*and*  only to
> >> specific groups of host.
> > I also thought about this for a while. The only idea I came up with is
> > to have separate CAs used as trust anchor for each host group.
>
> I did think of that, and discounted it as being too ugly :-)
>
> I also thought about using extensions in the user cert - but I couldn't
> see a way to get sshd to require the presence of a particular extension
> to permit login.
>
> >
> > But the other big question is the usability of the process for issuing
> > and using the OpenSSH user certs. What's your idea on this?
>
> I hadn't got to the details of the user side, but AFAICS all it requires
> is a list of user:hostgroup principals to include in the cert for a
> given user.  This could be kept directly as an attribute of the user, or
> you could generate it via a level of indirection (user -> group; group
> -> list of principals or principal suffixes)
>
> At the host side, I was thinking of authorizing principals based on the
> machine's "role" in Netbox, which we use as inventory database:
>
> #!/bin/sh
> echo "$1:{{ device_role }}"
> echo "$1:all"
>
> Regards,
>
> Brian.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
-- 
Manoel Domingues Junior
https://keybase.io/mdjunior
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux