Do you know about certificates for openssh? You create a ca for hostkeys and another for clientkeys. Then you create a certificate for all of your hostkey-publickeys with your host-ca. Publish this certificates to all of your hosts and change the configuration of sshd to use this certificates also. Publish the public-key of your user-ca to all hosts. Publish the pubkey for Host-ca to all your clients. Then create certificates with user-ca for all of all users Pubkeys. Add prinzipals (one or more) to this user-certs. Give it to the users. Change ssh_config to accept only hosts with valid host-certs. Create mapping-files. Each pam-user gets its own file, where the principals are listed (one per line), which are allowed to login as this user. You dont need to accept a changed hostkey anymore. You can regulate with principalfile, which user can login as which user. You can also use a script instead of this files, so ldap or other mechanisms are possible too via script. Certs can have a serialnumber and a validydate.. You can revoke by pubkey the whole user, or revoke by serialnumer. This is a first entypoint: https://chandanduttachowdhury.wordpress.com/2014/12/31/certificate-based-ssh-user-authentication/ Many howtos talk about pubkeys instead of certificates, when you search on you searchengine. Be careful of your searches. Certificates are using pubkeys, they are not pubkeys!! Regards Jakob -- lore ipsum _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
