On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: > As a concrete example: I want Alice to be able to login as "alice" > and > "www" to machines in group "webserver" (only). Also, I want Bob to > be > able to login as "bob" and "www" to machines in group "webserver" > (only). Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on each of the "web servers", where the contents of the alice file include the principal name alice, the contents of the bob file contain the bob principal, and the contents of the www file contain the contents alice and bob? Wouldn't that allow alice to ssh as alice, and www, and allow bob to ssh as bob and www to any machines that had this authorizedPrincipals file configuration? Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
