ssh: T6013: move principal name to "system login user <name> authentication"

We already support using per-user SSH public keys for system authentication. Instead of introducing a new CLI path to configure per-user principal names, we should continue using the existing CLI location and store the principal names alongside the corresponding SSH public keys. set system login user <name> principal <principal> The certificate used for SSH authentication contains an embedded principal name, which is defined under this CLI node. Only users with matching principal names are permitted to log in.
author: Christian Breunig <christian@breunig.cc> 2025-05-20 19:49:39 +0200
committer: Christian Breunig <christian@breunig.cc> 2025-05-29 13:57:48 +0200
commit: 81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2 (patch)
tree: 90ff9aeae2bb90e7fd75ac5b31e08deabce9d8cd /interface-definitions
parent: 6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd (diff)
download: vyos-1x-81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2.tar.gz
vyos-1x-81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2.zip
2 files changed, 9 insertions, 19 deletions
diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in
index 2ab9db48b..14d358c78 100644
--- a/interface-definitions/service_ssh.xml.in
+++ b/interface-definitions/service_ssh.xml.in
@@ -281,25 +281,6 @@
             </properties>
             <children>
               #include <include/pki/ca-certificate.xml.i>
-              <tagNode name="bind-user">
-                <properties>
-                  <help>user-name</help>
-                  <constraint>
-                    #include <include/constraint/login-username.xml.i>
-                  </constraint>
-                </properties>
-                <children>
-                  <leafNode name="principal">
-                    <properties>
-                      <help>principal-name</help>
-                      <constraint>
-                        #include <include/constraint/login-username.xml.i>
-                      </constraint>
-                      <multi/>
-                    </properties>
-                  </leafNode>
-                </children>
-              </tagNode>
             </children>
           </node>
           #include <include/vrf-multi.xml.i>
diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in
index 9865e3d32..a13ba10ea 100644
--- a/interface-definitions/system_login.xml.in
+++ b/interface-definitions/system_login.xml.in
@@ -103,6 +103,15 @@
                       <help>Plaintext password used for encryption</help>
                     </properties>
                   </leafNode>
+                  <leafNode name="principal">
+                    <properties>
+                      <help>Accepted principal names for certificate authentication</help>
+                      <constraint>
+                        #include <include/constraint/login-username.xml.i>
+                      </constraint>
+                      <multi/>
+                    </properties>
+                  </leafNode>
                   <tagNode name="public-keys">
                     <properties>
                       <help>Remote access public keys</help>
author	Christian Breunig <christian@breunig.cc>	2025-05-20 19:49:39 +0200
committer	Christian Breunig <christian@breunig.cc>	2025-05-29 13:57:48 +0200
commit	81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2 (patch)
tree	90ff9aeae2bb90e7fd75ac5b31e08deabce9d8cd /interface-definitions
parent	6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd (diff)
download	vyos-1x-81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2.tar.gz vyos-1x-81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2.zip