Hm, I don't want to mix them, I want to use the AuthenticationMethods
feature that enforces that the user must have 1 certificate and 1
normal pubkey to be authenticated.
(I don't think that's possible with your suggestions?)
At the moment, users can just put multiple keys in the
~/.ssh/authorized_keys. If they for example put 2 pubkeys there, they
can access the system because the AuthenticationMethods pubkey,pubkey
rule is satisfied.
But I want to have a rule that one of those 2 pubkeys *must* be a
certificate, so the user uses 1 certificate and 1 normal pubkey
instead of 2 normal pubkeys.
Wim
Op wo 3 feb. 2021 om 22:49 schreef asymptosis <asymptosis at
posteo.net>:>
> >it looks like there are a number of ways you can do this:
> >
> > 1. You can set TrustedUserCAKeys to a valid ca pubkey file and set
> >AuthorizedKeysFile to something like /etc/ssh/empty
> >
> > 2. You can set PubkeyAcceptedKeyTypes to a cert type.
> >
> >I think both of these will work either globally or in a Match block.
>
> Yes, spot on. These are the relevant stanzas from my sshd_config on a box
where I mix certificates for the git user with regular keypair auth for other
users:
>
> ```
> AuthorizedPrincipalsFile /etc/ssh/principals/%u
> TrustedUserCAKeys /etc/ssh/ca.pub
>
> AllowGroups public-ssh
> AuthorizedKeysFile none
> AuthorizedKeysCommand /sbin/authorized_keys
> AuthorizedKeysCommandUser nobody
>
> AuthenticationMethods publickey
> PubkeyAuthentication yes
>
> Match Address 10.0.0.0/8
> AllowGroups private-ssh root
> PermitRootLogin prohibit-password
>
> Match User git
> PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519
> ```