On 1/31/20 3:52 PM, Brian Candler wrote: > On 31/01/2020 14:29, Michael Ströder wrote: >> Hmm, personally I'd recommend not to issue user certs for generic user >> names (e.g. "www"). While some cert information is logged by sshd it >> requires keeping track of all issued certs in searchable data store to >> be able to properly map logins to personal user accounts during an audit. > > I thought that was the point of the certificate "identity" (-I) in > addition to the "principals" (-n). The login shows the certificate > identity: > > Jan 30 11:50:49 test1 sshd[4757]: Accepted publickey for alice from > 2001_db8::2009 port 56943 ssh2: RSA-CERT ID brian (serial 1) CA RSA > SHA256:fofx2XMj+RqnLlui09aDIuV9fWqPiU54oWStDzYr/p0 > > In this case, the cert identity was "brian"; cert principals were > "alice" and "www"; ssh login was as user "alice". Ah, ok. Description of semantics in ssh-keygen(1) is not really clear so currently I've just set a UUID for each new key pair. But I could prefix this with a user name. > It's still a good idea to keep track of all issued certs though, in case > you need to revoke one. Or better get rid of the revocation requirement. ;-) Ciao, Michael. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
