What other %-tokens are available with AuthorizedKeysCommand? Could you pass one
or more of them to /pull/a/single/key in order to enable a single key that
differs per user or per client host or whatever the criteria are?
> On Feb 3, 2021, at 15:21, Wim S <wimsharing at gmail.com> wrote:
>
> ?I thought of something similar, but the user said "but I want to have
> multiple ssh keys because I use different keys on different devices"
> :/
>
> Op wo 3 feb. 2021 om 23:59 schreef Peter Moody <mindrot at hda3.com>:
>>
>>> On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing at
gmail.com> wrote:
>>>
>>> This prevents getting into the system if you have control of the
MFA
>>> setup (which is handled by another team) or getting into the system
>>> without MFA :-)
>>
>> heh, seems like you all have trust issues :)
>>
>> more seriously though, without over-engineering this, you I *think*
>> you could do something like
>>
>> AuthenticationMethods publickey,publickey
>> TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub
>> AuthorizedKeysFile none
>> AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys
>> AuthorizedKeysCommandUser nobody
>>
>> and then /pull/a/single/key looks like
>>
>> #!/bin/bash
>> head -1 $1
>>
>> or you could store the pubkeys somewhere the user can't control,
like
>> ldap, and use an authorizedkeyscommand to fetch them.
>>
>> I agree though, if a publickey:certificate option existed, it'd be
a
>> lot cleaner.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev