diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-20 19:49:39 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-29 13:57:48 +0200 |
| commit | 81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2 (patch) | |
| tree | 90ff9aeae2bb90e7fd75ac5b31e08deabce9d8cd /data | |
| parent | 6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd (diff) | |
| download | vyos-1x-81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2.tar.gz vyos-1x-81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2.zip | |
ssh: T6013: move principal name to "system login user <name> authentication"
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.
set system login user <name> principal <principal>
The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/login/authorized_keys.j2 | 1 | ||||
| -rw-r--r-- | data/templates/login/authorized_principals.j2 | 4 | ||||
| -rw-r--r-- | data/templates/ssh/sshd_config.j2 | 16 |
3 files changed, 15 insertions, 6 deletions
diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2 index 695b66abe..5b15f066a 100644 --- a/data/templates/login/authorized_keys.j2 +++ b/data/templates/login/authorized_keys.j2 @@ -1,5 +1,4 @@ ### Automatically generated by system_login.py ### - {% if authentication.public_keys is vyos_defined %} {% for key, key_options in authentication.public_keys.items() %} {# The whitespace after options is wisely chosen #} diff --git a/data/templates/login/authorized_principals.j2 b/data/templates/login/authorized_principals.j2 new file mode 100644 index 000000000..16525e808 --- /dev/null +++ b/data/templates/login/authorized_principals.j2 @@ -0,0 +1,4 @@ +### Automatically generated by system_login.py ### +{% if authentication.principal is vyos_defined %} +{{ '\n'.join(authentication.principal) }} +{% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index d6e31b0f4..dce679936 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -112,11 +112,17 @@ RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined } {% endif %} {% if trusted_user_ca_key is vyos_defined %} +# Specifies a file containing public keys of certificate authorities that are +# trusted to sign user certificates for authentication TrustedUserCAKeys /etc/ssh/trusted_user_ca_key -{% endif %} -{% if trusted_user_ca_key is vyos_defined and trusted_user_ca_key.bind_user is vyos_defined %} -AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u -{% elif trusted_user_ca_key is vyos_defined %} -AuthorizedPrincipalsFile none +# The default is "none", i.e. not to use a principals file - in this case, the +# username of the user must appear in a certificate's principals list for it +# to be accepted. ".ssh/authorized_principals" means a per-user configuration, +# relative to $HOME. +{% set filename = 'none' %} +{% if trusted_user_ca_key.has_principals is vyos_defined %} +{% set filename = '.ssh/authorized_principals' %} +{% endif %} +AuthorizedPrincipalsFile {{ filename }} {% endif %} |