Hm, I don't want to mix them, I want to use the AuthenticationMethods feature that enforces that the user must have 1 certificate and 1 normal pubkey to be authenticated. (I don't think that's possible with your suggestions?) At the moment, users can just put multiple keys in the ~/.ssh/authorized_keys. If they for example put 2 pubkeys there, they can access the system because the AuthenticationMethods pubkey,pubkey rule is satisfied. But I want to have a rule that one of those 2 pubkeys *must* be a certificate, so the user uses 1 certificate and 1 normal pubkey instead of 2 normal pubkeys. Wim Op wo 3 feb. 2021 om 22:49 schreef asymptosis <asymptosis@xxxxxxxxxx>: > > >it looks like there are a number of ways you can do this: > > > > 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set > >AuthorizedKeysFile to something like /etc/ssh/empty > > > > 2. You can set PubkeyAcceptedKeyTypes to a cert type. > > > >I think both of these will work either globally or in a Match block. > > Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users: > > ``` > AuthorizedPrincipalsFile /etc/ssh/principals/%u > TrustedUserCAKeys /etc/ssh/ca.pub > > AllowGroups public-ssh > AuthorizedKeysFile none > AuthorizedKeysCommand /sbin/authorized_keys > AuthorizedKeysCommandUser nobody > > AuthenticationMethods publickey > PubkeyAuthentication yes > > Match Address 10.0.0.0/8 > AllowGroups private-ssh root > PermitRootLogin prohibit-password > > Match User git > PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-ed25519 > ``` _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
