On 03/02/21, Jim Knoble (jmknoble@xxxxxxxxx) wrote: > What other %-tokens are available with AuthorizedKeysCommand? Could > you pass one or more of them to /pull/a/single/key in order to enable > a single key that differs per user or per client host or whatever the > criteria are? AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, %U, and %u. That is, the key/certificate fingerprint, home directory of the user, base64 key or certificate key, key type, numeric user id or username. Although this probably isn't appropriate for Wim's use-case, the use of certificate principals could be considered. One can use the AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser and AuthorizedPrincipalsFile to control access based on the permitted principal names specified in a certificate. Additionally user identification can be embedded in a certificate. I guess if one trusts the certificate issuer to only issue certificates to valid public key holders, and where the certificate is scoped by principal, the requirement to also validate the original public key on the target ssh host falls away. Regretfully, I've been unable to convince my team to trust the use of certificates sufficiently to do this(!) Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
