Displaying 5 results from an estimated 5 matches for "authorizedprincip".
Did you mean:
authorizedprincipal
2020 Jan 30
6
SSH certificates - restricting to host groups
...login as "alice"
>> and
>> "www" to machines in group "webserver" (only). Also, I want Bob to
>> be
>> able to login as "bob" and "www" to machines in group "webserver"
>> (only).
> Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on
> each of the "web servers", where the contents of the alice file include
> the principal name alice, the contents of the bob file contain the bob
> principal, and the contents of the www file contain the contents alice
> and bob? Wouldn't...
2020 Jan 30
5
SSH certificates - restricting to host groups
...gs, in particular Facebook's one here:
<https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/>.
However, if I issue certs with
ssh-keygen ... -n alice,www,group-webserver ...
ssh-keygen ... -n bob,www,group-webserver ...
and I include "group-webserver" in AuthorizedPrincipalsFile for alice,
it lets bob login as alice (as per documentation, and also tested).
Now I am thinking I need to do something like this:
ssh-keygen ... -n alice:webserver,www:webserver ...
ssh-keygen ... -n bob:webserver,www:webserver ...
with an AuthorizedPrincipalsCommand such as:
#!/bin...
2020 Jan 31
2
SSH certificates - restricting to host groups
...>> carrying the authorization in the certs themselves - if that is in
>> the spirit of the SSH cert mechanism.
>
> Sign alice and bob's ssh cert with principal's alice,www and bob,www
> respectively. Configure sshd_config so that individuals don't require
> an authorizedprincipalfile, and use Match within sshd_config for any
> "service/faceless" account like www, to force use of an
> authorizedprincipalfile. The contents of www's authorizedprincipal
> file will simply contain the principal "www" or whatever you
> choose. This should l...
2024 Feb 08
2
Authentication using federated identity
I know that there are some methods to use federated identities (e.g.
OAuth2) with SSH authentication but, from what I've seen, they largely
seem clunky and require users to interact with web browsers to get one
time tokens. Which is sort of acceptable for occasional logins but
doesn't work with automated/scripted actions.
I'm just wondering if anyone has done any work on this or
2020 Jan 30
3
SSH certificates - restricting to host groups
...quot;alice"
> > and
> > "www" to machines in group "webserver" (only). Also, I want Bob to
> > be
> > able to login as "bob" and "www" to machines in group "webserver"
> > (only).
>
> Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on
> each of the "web servers", where the contents of the alice file include
> the principal name alice, the contents of the bob file contain the bob
> principal, and the contents of the www file contain the contents alice
> and bob? Wouldn't...