Re: SSH certificates - restricting to host groups

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 1/31/20 3:52 PM, Brian Candler wrote:
> On 31/01/2020 14:29, Michael Ströder wrote:
>> Hmm, personally I'd recommend not to issue user certs for generic user
>> names (e.g. "www"). While some cert information is logged by sshd it
>> requires keeping track of all issued certs in searchable data store to
>> be able to properly map logins to personal user accounts during an audit.
> 
> I thought that was the point of the certificate "identity" (-I) in
> addition to the "principals" (-n).  The login shows the certificate
> identity:
> 
> Jan 30 11:50:49 test1 sshd[4757]: Accepted publickey for alice from
> 2001_db8::2009 port 56943 ssh2: RSA-CERT ID brian (serial 1) CA RSA
> SHA256:fofx2XMj+RqnLlui09aDIuV9fWqPiU54oWStDzYr/p0
> 
> In this case, the cert identity was "brian"; cert principals were
> "alice" and "www"; ssh login was as user "alice".

Ah, ok. Description of semantics in ssh-keygen(1) is not really clear so
currently I've just set a UUID for each new key pair. But I could prefix
this with a user name.

> It's still a good idea to keep track of all issued certs though, in case
> you need to revoke one.

Or better get rid of the revocation requirement. ;-)

Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux