On 30/01/2020 16:41, Peter Moody wrote:
this is the right answer. you want to use AuthorizedPrincipalsFile (or AuthorizedPrincipalsCommand if your authz information needs to change on a quicker cadence than your config pushes) on the machines. you'd have something like $ cat /etc/ssh/sshd_config <snip> TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys Match User www AuthorizedKeysFile /etc/ssh/empty AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals <snip> $ cat /etc/ssh/www_authorized_principals alice bob and alice and bob just have regular user certificates with 'alice' or 'bob' in the princpals
But that doesn't solve the other part of my problem, which is that alice and bob's certificates should only be usable for logging in to a specific group of hosts - even as their own username "alice" or "bob".
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
