On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark <mark.christian at intel.com> wrote:> > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: > > As a concrete example: I want Alice to be able to login as "alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as "bob" and "www" to machines in group "webserver" > > (only). > > Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on > each of the "web servers", where the contents of the alice file include > the principal name alice, the contents of the bob file contain the bob > principal, and the contents of the www file contain the contents alice > and bob? Wouldn't that allow alice to ssh as alice, and www, and allow > bob to ssh as bob and www to any machines that had this > authorizedPrincipals file configuration?this is the right answer. you want to use AuthorizedPrincipalsFile (or AuthorizedPrincipalsCommand if your authz information needs to change on a quicker cadence than your config pushes) on the machines. you'd have something like $ cat /etc/ssh/sshd_config <snip> TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys Match User www AuthorizedKeysFile /etc/ssh/empty AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals <snip> $ cat /etc/ssh/www_authorized_principals alice bob and alice and bob just have regular user certificates with 'alice' or 'bob' in the princpals
On 30/01/2020 16:41, Peter Moody wrote:> this is the right answer. you want to use AuthorizedPrincipalsFile (or > AuthorizedPrincipalsCommand if your authz information needs to change > on a quicker cadence than your config pushes) on the machines. > > you'd have something like > > $ cat /etc/ssh/sshd_config > > <snip> > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys > > Match User www > AuthorizedKeysFile /etc/ssh/empty > AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals > <snip> > > $ cat /etc/ssh/www_authorized_principals > alice > bob > > and alice and bob just have regular user certificates with 'alice' or > 'bob' in the princpalsBut that doesn't solve the other part of my problem, which is that alice and bob's certificates should only be usable for logging in to a specific group of hosts - even as their own username "alice" or "bob".
On Thu, 2020-01-30 at 16:45 +0000, Brian Candler wrote:> On 30/01/2020 16:41, Peter Moody wrote: > > this is the right answer. you want to use AuthorizedPrincipalsFile > > (or > > AuthorizedPrincipalsCommand if your authz information needs to > > change > > on a quicker cadence than your config pushes) on the machines. > > > > you'd have something like > > > > $ cat /etc/ssh/sshd_config > > > > <snip> > > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys > > > > Match User www > > AuthorizedKeysFile /etc/ssh/empty > > AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals > > <snip> > > > > $ cat /etc/ssh/www_authorized_principals > > alice > > bob > > > > and alice and bob just have regular user certificates with 'alice' > > or > > 'bob' in the princpals > > But that doesn't solve the other part of my problem, which is that > alice > and bob's certificates should only be usable for logging in to a > specific group of hosts - even as their own username "alice" or > "bob".AllowGroups, AllowUsers in sshd_config. /etc/security/access.conf or equivalent. These are the ways to limit access to systems where bob and alice are not authorized. Mark
On Thu, Jan 30, 2020 at 8:45 AM Brian Candler <b.candler at pobox.com> wrote:> > On 30/01/2020 16:41, Peter Moody wrote: > > this is the right answer. you want to use AuthorizedPrincipalsFile (or > > AuthorizedPrincipalsCommand if your authz information needs to change > > on a quicker cadence than your config pushes) on the machines. > > > > you'd have something like > > > > $ cat /etc/ssh/sshd_config > > > > <snip> > > TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys > > > > Match User www > > AuthorizedKeysFile /etc/ssh/empty > > AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals > > <snip> > > > > $ cat /etc/ssh/www_authorized_principals > > alice > > bob > > > > and alice and bob just have regular user certificates with 'alice' or > > 'bob' in the princpals > > > But that doesn't solve the other part of my problem, which is that alice > and bob's certificates should only be usable for logging in to a > specific group of hosts - even as their own username "alice" or "bob".on any machine that has those two snippets above, 'alice' and 'bob' will be able to log in as 'www'. If user accounts for 'alice' and 'bob' exist on those same machines, 'alice' and 'bob' will be able to log in as only 'alice' and 'bob' respectively (ie, a certificate with 'alice' can be used to authenticate as the alice user and a certificate with 'bob' can be used to authenticate as the 'bob' user). the posix user accounts don't need to exist on a given machine to use the AuthorizedPrincipalsFile/AuthorizedPrincipalsCommand for logging in as a shared user. If you're saying that you don't want 'alice' or 'bob' to be able to log into the webserver machines as alice or bob, then don't create those accounts, but they can still use their certificates with the AuthorizedPrincipalsFile to get access to www