On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing@xxxxxxxxx> wrote: > This prevents getting into the system if you have control of the MFA > setup (which is handled by another team) or getting into the system > without MFA :-) heh, seems like you all have trust issues :) more seriously though, without over-engineering this, you I *think* you could do something like AuthenticationMethods publickey,publickey TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub AuthorizedKeysFile none AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys AuthorizedKeysCommandUser nobody and then /pull/a/single/key looks like #!/bin/bash head -1 $1 or you could store the pubkeys somewhere the user can't control, like ldap, and use an authorizedkeyscommand to fetch them. I agree though, if a publickey:certificate option existed, it'd be a lot cleaner. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
