summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/login/authorized_keys.j21
-rw-r--r--data/templates/login/authorized_principals.j24
-rw-r--r--data/templates/ssh/sshd_config.j216
3 files changed, 15 insertions, 6 deletions
diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2
index 695b66abe..5b15f066a 100644
--- a/data/templates/login/authorized_keys.j2
+++ b/data/templates/login/authorized_keys.j2
@@ -1,5 +1,4 @@
### Automatically generated by system_login.py ###
-
{% if authentication.public_keys is vyos_defined %}
{% for key, key_options in authentication.public_keys.items() %}
{# The whitespace after options is wisely chosen #}
diff --git a/data/templates/login/authorized_principals.j2 b/data/templates/login/authorized_principals.j2
new file mode 100644
index 000000000..16525e808
--- /dev/null
+++ b/data/templates/login/authorized_principals.j2
@@ -0,0 +1,4 @@
+### Automatically generated by system_login.py ###
+{% if authentication.principal is vyos_defined %}
+{{ '\n'.join(authentication.principal) }}
+{% endif %}
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index d6e31b0f4..dce679936 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -112,11 +112,17 @@ RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }
{% endif %}
{% if trusted_user_ca_key is vyos_defined %}
+# Specifies a file containing public keys of certificate authorities that are
+# trusted to sign user certificates for authentication
TrustedUserCAKeys /etc/ssh/trusted_user_ca_key
-{% endif %}
-{% if trusted_user_ca_key is vyos_defined and trusted_user_ca_key.bind_user is vyos_defined %}
-AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u
-{% elif trusted_user_ca_key is vyos_defined %}
-AuthorizedPrincipalsFile none
+# The default is "none", i.e. not to use a principals file - in this case, the
+# username of the user must appear in a certificate's principals list for it
+# to be accepted. ".ssh/authorized_principals" means a per-user configuration,
+# relative to $HOME.
+{% set filename = 'none' %}
+{% if trusted_user_ca_key.has_principals is vyos_defined %}
+{% set filename = '.ssh/authorized_principals' %}
+{% endif %}
+AuthorizedPrincipalsFile {{ filename }}
{% endif %}
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-02 19:18:31 +0000