Re: SSH certificates - restricting to host groups

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 30/01/2020 15:02, Christian, Mark wrote:

On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote:

As a concrete example: I want Alice to be able to login as "alice"
and
"www" to machines in group "webserver" (only). Also, I want Bob to
be
able to login as "bob" and "www" to machines in group "webserver"
(only).

Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on
each of the "web servers", where the contents of the alice file include
the principal name alice, the contents of the bob file contain the bob
principal, and the contents of the www file contain the contents alice
and bob?  Wouldn't that allow alice to ssh as alice, and www, and allow
bob to ssh as bob and www to any machines that had this
authorizedPrincipals file configuration?
Yes, that would work, but then it comes back down to configuration management to push out all authorizations (and  more importantly, remove them when no longer authorized).  If you're going to do that, it's not too far removed from pushing out ~/.ssh/authorized_keys for each user.
I was hoping to avoid the dependency on configuration management by carrying the authorization in the certs themselves - if that is in the spirit of the SSH cert mechanism. 


On 30/01/2020 16:05, Michael Ströder wrote:

Adding authz information to user certs means that you need to renew the
cert if the authz information changes during cert life-time. This can be
annoying for users.

How long should your user certs be valid?
I think on an initial implementation I'd go with 3-month certs, perhaps using a PKCS#11 token like a Yubikey.  You're right that if we have to change the authorization for a user, they'd need a new cert.
Eventually it would be nice to move to daily certs with online login (e.g. cashier, step-ca) in which case anyone who needs a new cert can get it themselves instantly.  The main thing stopping me from doing this straight away is your other point: 


You have to maintain this user-hostgroup relationship somewhere. Is it
possible for your system to query this information?
The inventory system tracks hosts rather than users, but I don't see a big problem putting the user-group relationship into LDAP, even if it only writes out a flat file periodically.
However, the system which issues the certs needs to be able to do the mapping from OIDC claims to SSH cert principals.  I've just been looking at step-ca and I don't see a way to do that.  I haven't looked at cashier yet, and I only just learned of gsh. 

Regards,

Brian.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux