Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.ssh > #133

Re: SSH Certificates and CA.

Show all headers | View raw

Kevin Denis <kevin@nowhere.invalid> writes:

> Hello,
>
> I'm using SSH certificates and it works good. Here is my setup:
>
> 1- Create a CA:
> ssh-keygen -f CAKey 
> 2- Adding the pub key in .ssh/known_host of my users:
> @cert-authority * AAA(...) root@linux
> And sshd_config of my servers:
> TrustedUserCAKey /etc/ssh/CAKey.pub
> 3- Sign up a user:
> ssh-keygen -s CAKey -I CA -n user1 rsa_key.pub
> and the hosts:
> ssh-keygen -s CAKey -I CA -h host_rsa_key.pub
> adding the certificate in each sshd_config:
> HostCertificate /etc/ssh/host_rsa_key-cert.pub
>
> And it works great. But I have a problem with this setup.
>
> I have a lot of server, for different tasks. When I sign a certificate
> for a user, this certificate is valid for all of my servers. And
> I don't want that a web developper can access my svn for example.
>
> Is there a way to limit the scope of user certificate to a specific
> subset of servers?

The certificate allows your servers to identify the user; that
authentication.  What you're talking about is authorization: determining
what that user is allowed to do, which should be done separately.  For
example: you could use the sshd AllowGroups setting to require
membership in the "svn" Unix group to log into your SVN server -- and
simply not put the web developers in that group.

- Richard

Back to comp.security.ssh | Previous | Next — Previous in thread | Find similar

Thread

SSH Certificates and CA. Kevin Denis <kevin@nowhere.invalid> - 2011-07-07 07:15 +0000
  Re: SSH Certificates and CA. Richard E. Silverman <res@qoxp.net> - 2011-07-08 20:53 -0400

csiph-web