Hi, We are wanting to use ssh certificate. We would like to create a certificate that tells this ssh pub key can only connect to this server with this account. Reading the manual, we have the strong feeling that what could be inserted in the certificate are the information that used to be in the authorized_keys. But historically speaking, they were no need need, at that time, to have a field named "destination-address" as this was implicit. That information wasn't needed as the authorized_keys instructed only one machine, The machine where the authorized_keys was installed on. So how could I do this ? Thanks in advance for your help. cED
On 14/10/2025 16:43, Briner C?dric (DIN) via openssh-unix-dev wrote:> We are wanting to use ssh certificate. We would like to create a certificate that tells this ssh pub key can only connect to this server with this account. > > Reading the manual, we have the strong feeling that what could be inserted in the certificate are the information that used to be in the authorized_keys. > > But historically speaking, they were no need need, at that time, to have a field named "destination-address" as this was implicit. That information wasn't needed as the authorized_keys instructed only one machine, The machine where the authorized_keys was installed on. > > So how could I do this ?You can insert principals into the certificate, together with the AuthorizedPrincipalsCommand. For example, suppose you have: AuthorizedPrincipalsCommand /etc/ssh/principals.sh %u AuthorizedPrincipalsCommandUser nobody where /etc/ssh/principals.sh looks like: #!/bin/sh -eu echo "$1@`hostname -f`" echo "$1 at +webserver" Then if you make an ssh connection like "ssh brian at www1.example.com", you will be granted access if your certificate contains principal "brian at www1.example.com" or "brian at +webserver"
On Tue, 14 Oct 2025, Briner C?dric (DIN) via openssh-unix-dev wrote:> Hi, > > We are wanting to use ssh certificate. We would like to create a certificate that tells this ssh pub key can only connect to this server with this account. > > Reading the manual, we have the strong feeling that what could be inserted in the certificate are the information that used to be in the authorized_keys. > > But historically speaking, they were no need need, at that time, to have a field named "destination-address" as this was implicit. That information wasn't needed as the authorized_keys instructed only one machine, The machine where the authorized_keys was installed on. > > So how could I do this ?In addition to the answer that you already received, you might want to check out https://github.com/google/hiba - this is a set of extensions to the SSH certificate format to allow authorisation to pools of hosts to be embedded in the certificate. -d