On Thu, 2020-01-30 at 16:45 +0000, Brian Candler wrote: > On 30/01/2020 16:41, Peter Moody wrote: > > this is the right answer. you want to use AuthorizedPrincipalsFile > > (or > > AuthorizedPrincipalsCommand if your authz information needs to > > change > > on a quicker cadence than your config pushes) on the machines. > > > > you'd have something like > > > > $ cat /etc/ssh/sshd_config > > > > <snip> > > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys > > > > Match User www > > AuthorizedKeysFile /etc/ssh/empty > > AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals > > <snip> > > > > $ cat /etc/ssh/www_authorized_principals > > alice > > bob > > > > and alice and bob just have regular user certificates with 'alice' > > or > > 'bob' in the princpals > > But that doesn't solve the other part of my problem, which is that > alice > and bob's certificates should only be usable for logging in to a > specific group of hosts - even as their own username "alice" or > "bob". AllowGroups, AllowUsers in sshd_config. /etc/security/access.conf or equivalent. These are the ways to limit access to systems where bob and alice are not authorized. Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
