summaryrefslogtreecommitdiff
path: root/data/templates/ssh/sshd_config.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/ssh/sshd_config.j2')
-rw-r--r--data/templates/ssh/sshd_config.j216
1 files changed, 11 insertions, 5 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index d6e31b0f4..dce679936 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -112,11 +112,17 @@ RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }
{% endif %}
{% if trusted_user_ca_key is vyos_defined %}
+# Specifies a file containing public keys of certificate authorities that are
+# trusted to sign user certificates for authentication
TrustedUserCAKeys /etc/ssh/trusted_user_ca_key
-{% endif %}
-{% if trusted_user_ca_key is vyos_defined and trusted_user_ca_key.bind_user is vyos_defined %}
-AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u
-{% elif trusted_user_ca_key is vyos_defined %}
-AuthorizedPrincipalsFile none
+# The default is "none", i.e. not to use a principals file - in this case, the
+# username of the user must appear in a certificate's principals list for it
+# to be accepted. ".ssh/authorized_principals" means a per-user configuration,
+# relative to $HOME.
+{% set filename = 'none' %}
+{% if trusted_user_ca_key.has_principals is vyos_defined %}
+{% set filename = '.ssh/authorized_principals' %}
+{% endif %}
+AuthorizedPrincipalsFile {{ filename }}
{% endif %}
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-17 19:44:10 +0000