search for: authorizedprincipal

Displaying 5 results from an estimated 5 matches for "authorizedprincipal".

Did you mean: authorizedprincipals
2020 Jan 30
6
SSH certificates - restricting to host groups
...login as "alice" >> and >> "www" to machines in group "webserver" (only). Also, I want Bob to >> be >> able to login as "bob" and "www" to machines in group "webserver" >> (only). > Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on > each of the "web servers", where the contents of the alice file include > the principal name alice, the contents of the bob file contain the bob > principal, and the contents of the www file contain the contents alice > and bob? Wouldn't t...
2020 Jan 30
5
SSH certificates - restricting to host groups
...gs, in particular Facebook's one here: <https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/>. However, if I issue certs with ssh-keygen ... -n alice,www,group-webserver ... ssh-keygen ... -n bob,www,group-webserver ... and I include "group-webserver" in AuthorizedPrincipalsFile for alice, it lets bob login as alice (as per documentation, and also tested). Now I am thinking I need to do something like this: ssh-keygen ... -n alice:webserver,www:webserver ... ssh-keygen ... -n bob:webserver,www:webserver ... with an AuthorizedPrincipalsCommand such as: #!/bin/s...
2020 Jan 31
2
SSH certificates - restricting to host groups
...>> carrying the authorization in the certs themselves - if that is in >> the spirit of the SSH cert mechanism. > > Sign alice and bob's ssh cert with principal's alice,www and bob,www > respectively. Configure sshd_config so that individuals don't require > an authorizedprincipalfile, and use Match within sshd_config for any > "service/faceless" account like www, to force use of an > authorizedprincipalfile. The contents of www's authorizedprincipal > file will simply contain the principal "www" or whatever you > choose. This should lim...
2024 Feb 08
2
Authentication using federated identity
I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or
2020 Jan 30
3
SSH certificates - restricting to host groups
...quot;alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as "bob" and "www" to machines in group "webserver" > > (only). > > Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on > each of the "web servers", where the contents of the alice file include > the principal name alice, the contents of the bob file contain the bob > principal, and the contents of the www file contain the contents alice > and bob? Wouldn't t...