I thought of something similar, but the user said "but I want to have multiple ssh keys because I use different keys on different devices" :/ Op wo 3 feb. 2021 om 23:59 schreef Peter Moody <mindrot@xxxxxxxx>: > > On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing@xxxxxxxxx> wrote: > > > This prevents getting into the system if you have control of the MFA > > setup (which is handled by another team) or getting into the system > > without MFA :-) > > heh, seems like you all have trust issues :) > > more seriously though, without over-engineering this, you I *think* > you could do something like > > AuthenticationMethods publickey,publickey > TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub > AuthorizedKeysFile none > AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys > AuthorizedKeysCommandUser nobody > > and then /pull/a/single/key looks like > > #!/bin/bash > head -1 $1 > > or you could store the pubkeys somewhere the user can't control, like > ldap, and use an authorizedkeyscommand to fetch them. > > I agree though, if a publickey:certificate option existed, it'd be a > lot cleaner. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
