On Wed, Feb 3, 2021 at 4:32 AM Wim S <wimsharing at gmail.com> wrote:> I don't seem to find a way to specify that one of the pubkey in > AuthenticationMethods pubkey,pubkey should be a valid ssh certificate. > > Is there maybe any other way to enforce this ?it looks like there are a number of ways you can do this: 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set AuthorizedKeysFile to something like /etc/ssh/empty 2. You can set PubkeyAcceptedKeyTypes to a cert type. I think both of these will work either globally or in a Match block.
>it looks like there are a number of ways you can do this: > > 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set >AuthorizedKeysFile to something like /etc/ssh/empty > > 2. You can set PubkeyAcceptedKeyTypes to a cert type. > >I think both of these will work either globally or in a Match block.Yes, spot on. These are the relevant stanzas from my sshd_config on a box where I mix certificates for the git user with regular keypair auth for other users: ``` AuthorizedPrincipalsFile /etc/ssh/principals/%u TrustedUserCAKeys /etc/ssh/ca.pub AllowGroups public-ssh AuthorizedKeysFile none AuthorizedKeysCommand /sbin/authorized_keys AuthorizedKeysCommandUser nobody AuthenticationMethods publickey PubkeyAuthentication yes Match Address 10.0.0.0/8 AllowGroups private-ssh root PermitRootLogin prohibit-password Match User git PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519 ```