From 81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Tue, 20 May 2025 19:49:39 +0200
Subject: ssh: T6013: move principal name to "system login user <name>
 authentication"

We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.

set system login user <name> principal <principal>

The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
---
 interface-definitions/service_ssh.xml.in  | 19 -------------------
 interface-definitions/system_login.xml.in |  9 +++++++++
 2 files changed, 9 insertions(+), 19 deletions(-)

(limited to 'interface-definitions')

diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in
index 2ab9db48b..14d358c78 100644
--- a/interface-definitions/service_ssh.xml.in
+++ b/interface-definitions/service_ssh.xml.in
@@ -281,25 +281,6 @@
             </properties>
             <children>
               #include <include/pki/ca-certificate.xml.i>
-              <tagNode name="bind-user">
-                <properties>
-                  <help>user-name</help>
-                  <constraint>
-                    #include <include/constraint/login-username.xml.i>
-                  </constraint>
-                </properties>
-                <children>
-                  <leafNode name="principal">
-                    <properties>
-                      <help>principal-name</help>
-                      <constraint>
-                        #include <include/constraint/login-username.xml.i>
-                      </constraint>
-                      <multi/>
-                    </properties>
-                  </leafNode>
-                </children>
-              </tagNode>
             </children>
           </node>
           #include <include/vrf-multi.xml.i>
diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in
index 9865e3d32..a13ba10ea 100644
--- a/interface-definitions/system_login.xml.in
+++ b/interface-definitions/system_login.xml.in
@@ -103,6 +103,15 @@
                       <help>Plaintext password used for encryption</help>
                     </properties>
                   </leafNode>
+                  <leafNode name="principal">
+                    <properties>
+                      <help>Accepted principal names for certificate authentication</help>
+                      <constraint>
+                        #include <include/constraint/login-username.xml.i>
+                      </constraint>
+                      <multi/>
+                    </properties>
+                  </leafNode>
                   <tagNode name="public-keys">
                     <properties>
                       <help>Remote access public keys</help>
-- 
cgit v1.2.3