From 81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 20 May 2025 19:49:39 +0200 Subject: ssh: T6013: move principal name to "system login user authentication" We already support using per-user SSH public keys for system authentication. Instead of introducing a new CLI path to configure per-user principal names, we should continue using the existing CLI location and store the principal names alongside the corresponding SSH public keys. set system login user principal The certificate used for SSH authentication contains an embedded principal name, which is defined under this CLI node. Only users with matching principal names are permitted to log in. --- data/templates/login/authorized_keys.j2 | 1 - data/templates/login/authorized_principals.j2 | 4 ++++ data/templates/ssh/sshd_config.j2 | 16 +++++++++++----- 3 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 data/templates/login/authorized_principals.j2 (limited to 'data') diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2 index 695b66abe..5b15f066a 100644 --- a/data/templates/login/authorized_keys.j2 +++ b/data/templates/login/authorized_keys.j2 @@ -1,5 +1,4 @@ ### Automatically generated by system_login.py ### - {% if authentication.public_keys is vyos_defined %} {% for key, key_options in authentication.public_keys.items() %} {# The whitespace after options is wisely chosen #} diff --git a/data/templates/login/authorized_principals.j2 b/data/templates/login/authorized_principals.j2 new file mode 100644 index 000000000..16525e808 --- /dev/null +++ b/data/templates/login/authorized_principals.j2 @@ -0,0 +1,4 @@ +### Automatically generated by system_login.py ### +{% if authentication.principal is vyos_defined %} +{{ '\n'.join(authentication.principal) }} +{% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index d6e31b0f4..dce679936 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -112,11 +112,17 @@ RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined } {% endif %} {% if trusted_user_ca_key is vyos_defined %} +# Specifies a file containing public keys of certificate authorities that are +# trusted to sign user certificates for authentication TrustedUserCAKeys /etc/ssh/trusted_user_ca_key -{% endif %} -{% if trusted_user_ca_key is vyos_defined and trusted_user_ca_key.bind_user is vyos_defined %} -AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u -{% elif trusted_user_ca_key is vyos_defined %} -AuthorizedPrincipalsFile none +# The default is "none", i.e. not to use a principals file - in this case, the +# username of the user must appear in a certificate's principals list for it +# to be accepted. ".ssh/authorized_principals" means a per-user configuration, +# relative to $HOME. +{% set filename = 'none' %} +{% if trusted_user_ca_key.has_principals is vyos_defined %} +{% set filename = '.ssh/authorized_principals' %} +{% endif %} +AuthorizedPrincipalsFile {{ filename }} {% endif %} -- cgit v1.2.3