it looks like there are a number of ways you can do this: 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set AuthorizedKeysFile to something like /etc/ssh/empty 2. You can set PubkeyAcceptedKeyTypes to a cert type. I think both of these will work either globally or in a Match block.
Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users: ``` AuthorizedPrincipalsFile /etc/ssh/principals/%u TrustedUserCAKeys /etc/ssh/ca.pub AllowGroups public-ssh AuthorizedKeysFile none AuthorizedKeysCommand /sbin/authorized_keys AuthorizedKeysCommandUser nobody AuthenticationMethods publickey PubkeyAuthentication yes Match Address 10.0.0.0/8 AllowGroups private-ssh root PermitRootLogin prohibit-password Match User git PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-ed25519 ``` _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
