Re: AuthenticationMethods for ssh certificate

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 03/02/21, Jim Knoble (jmknoble@xxxxxxxxx) wrote:
> What other %-tokens are available with AuthorizedKeysCommand? Could
> you pass one or more of them to /pull/a/single/key in order to enable
> a single key that differs per user or per client host or whatever the
> criteria are?

AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
That is, the key/certificate fingerprint, home directory of the user,
base64 key or certificate key, key type, numeric user id or username.

Although this probably isn't appropriate for Wim's use-case, the use of
certificate principals could be considered. One can use the
AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser and
AuthorizedPrincipalsFile to control access based on the permitted
principal names specified in a certificate.

Additionally user identification can be embedded in a certificate.

I guess if one trusts the certificate issuer to only issue certificates
to valid public key holders, and where the certificate is scoped by
principal, the requirement to also validate the original public key on
the target ssh host falls away.

Regretfully, I've been unable to convince my team to trust the use of
certificates sufficiently to do this(!)

Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux