On 31/01/2020 14:29, Michael Ströder wrote:
Hmm, personally I'd recommend not to issue user certs for generic user names (e.g. "www"). While some cert information is logged by sshd it requires keeping track of all issued certs in searchable data store to be able to properly map logins to personal user accounts during an audit.
I thought that was the point of the certificate "identity" (-I) in addition to the "principals" (-n). The login shows the certificate identity:
Jan 30 11:50:49 test1 sshd[4757]: Accepted publickey for alice from 2001_db8::2009 port 56943 ssh2: RSA-CERT ID brian (serial 1) CA RSA SHA256:fofx2XMj+RqnLlui09aDIuV9fWqPiU54oWStDzYr/p0
In this case, the cert identity was "brian"; cert principals were "alice" and "www"; ssh login was as user "alice".
It's still a good idea to keep track of all issued certs though, in case you need to revoke one.
Regards, Brian. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
