On Thu, Jan 30, 2020 at 8:45 AM Brian Candler <b.candler@xxxxxxxxx> wrote: > > On 30/01/2020 16:41, Peter Moody wrote: > > this is the right answer. you want to use AuthorizedPrincipalsFile (or > > AuthorizedPrincipalsCommand if your authz information needs to change > > on a quicker cadence than your config pushes) on the machines. > > > > you'd have something like > > > > $ cat /etc/ssh/sshd_config > > > > <snip> > > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys > > > > Match User www > > AuthorizedKeysFile /etc/ssh/empty > > AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals > > <snip> > > > > $ cat /etc/ssh/www_authorized_principals > > alice > > bob > > > > and alice and bob just have regular user certificates with 'alice' or > > 'bob' in the princpals > > > But that doesn't solve the other part of my problem, which is that alice > and bob's certificates should only be usable for logging in to a > specific group of hosts - even as their own username "alice" or "bob". on any machine that has those two snippets above, 'alice' and 'bob' will be able to log in as 'www'. If user accounts for 'alice' and 'bob' exist on those same machines, 'alice' and 'bob' will be able to log in as only 'alice' and 'bob' respectively (ie, a certificate with 'alice' can be used to authenticate as the alice user and a certificate with 'bob' can be used to authenticate as the 'bob' user). the posix user accounts don't need to exist on a given machine to use the AuthorizedPrincipalsFile/AuthorizedPrincipalsCommand for logging in as a shared user. If you're saying that you don't want 'alice' or 'bob' to be able to log into the webserver machines as alice or bob, then don't create those accounts, but they can still use their certificates with the AuthorizedPrincipalsFile to get access to www _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev