Hi, I don't seem to find a way to specify that one of the pubkey in AuthenticationMethods pubkey,pubkey should be a valid ssh certificate. Is there maybe any other way to enforce this ? If not, it would be nice to have something like "AuthenticationMethods pubkey,pubkey:cert" supported. Thanks, Wim
On Wed, Feb 3, 2021 at 4:32 AM Wim S <wimsharing at gmail.com> wrote:> I don't seem to find a way to specify that one of the pubkey in > AuthenticationMethods pubkey,pubkey should be a valid ssh certificate. > > Is there maybe any other way to enforce this ?it looks like there are a number of ways you can do this: 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set AuthorizedKeysFile to something like /etc/ssh/empty 2. You can set PubkeyAcceptedKeyTypes to a cert type. I think both of these will work either globally or in a Match block.