search for: authorizedprincipal

...login as "alice" >> and >> "www" to machines in group "webserver" (only). Also, I want Bob to >> be >> able to login as "bob" and "www" to machines in group "webserver" >> (only). > Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on > each of the "web servers", where the contents of the alice file include > the principal name alice, the contents of the bob file contain the bob > principal, and the contents of the www file contain the contents alice > and bob? Wouldn't t...

...gs, in particular Facebook's one here: <https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/>. However, if I issue certs with ssh-keygen ... -n alice,www,group-webserver ... ssh-keygen ... -n bob,www,group-webserver ... and I include "group-webserver" in AuthorizedPrincipalsFile for alice, it lets bob login as alice (as per documentation, and also tested). Now I am thinking I need to do something like this: ssh-keygen ... -n alice:webserver,www:webserver ... ssh-keygen ... -n bob:webserver,www:webserver ... with an AuthorizedPrincipalsCommand such as: #!/bin/s...

...>> carrying the authorization in the certs themselves - if that is in >> the spirit of the SSH cert mechanism. > > Sign alice and bob's ssh cert with principal's alice,www and bob,www > respectively. Configure sshd_config so that individuals don't require > an authorizedprincipalfile, and use Match within sshd_config for any > "service/faceless" account like www, to force use of an > authorizedprincipalfile. The contents of www's authorizedprincipal > file will simply contain the principal "www" or whatever you > choose. This should lim...

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

...quot;alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as "bob" and "www" to machines in group "webserver" > > (only). > > Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on > each of the "web servers", where the contents of the alice file include > the principal name alice, the contents of the bob file contain the bob > principal, and the contents of the www file contain the contents alice > and bob? Wouldn't t...