On 1/30/20 2:16 PM, Brian Candler wrote: > On 30/01/2020 12:53, Michael Ströder wrote: >> But the other big question is the usability of the process for issuing >> and using the OpenSSH user certs. What's your idea on this? > > I hadn't got to the details of the user side, but AFAICS all it requires > is a list of user:hostgroup principals to include in the cert for a > given user. This could be kept directly as an attribute of the user, or > you could generate it via a level of indirection (user -> group; group > -> list of principals or principal suffixes) Adding authz information to user certs means that you need to renew the cert if the authz information changes during cert life-time. This can be annoying for users. How long should your user certs be valid? You have to maintain this user-hostgroup relationship somewhere. Is it possible for your system to query this information? YMMV. Ciao, Michael. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
