What other %-tokens are available with AuthorizedKeysCommand? Could you pass one or more of them to /pull/a/single/key in order to enable a single key that differs per user or per client host or whatever the criteria are? > On Feb 3, 2021, at 15:21, Wim S <wimsharing@xxxxxxxxx> wrote: > > I thought of something similar, but the user said "but I want to have > multiple ssh keys because I use different keys on different devices" > :/ > > Op wo 3 feb. 2021 om 23:59 schreef Peter Moody <mindrot@xxxxxxxx>: >> >>> On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing@xxxxxxxxx> wrote: >>> >>> This prevents getting into the system if you have control of the MFA >>> setup (which is handled by another team) or getting into the system >>> without MFA :-) >> >> heh, seems like you all have trust issues :) >> >> more seriously though, without over-engineering this, you I *think* >> you could do something like >> >> AuthenticationMethods publickey,publickey >> TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub >> AuthorizedKeysFile none >> AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys >> AuthorizedKeysCommandUser nobody >> >> and then /pull/a/single/key looks like >> >> #!/bin/bash >> head -1 $1 >> >> or you could store the pubkeys somewhere the user can't control, like >> ldap, and use an authorizedkeyscommand to fetch them. >> >> I agree though, if a publickey:certificate option existed, it'd be a >> lot cleaner. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
