ssh certificate authentication: can one user and one server certificate work for any number of users or servers on a LAN?

To: debian-user@lists.debian.org
Subject: ssh certificate authentication: can one user and one server certificate work for any number of users or servers on a LAN?
From: rhkramer@gmail.com
Date: Tue, 19 Jul 2022 12:45:41 -0400
Message-id: <[🔎] 202207191245.41738.rhkramer@gmail.com>

I am (still) rather confused about using ssh certificate authentication.

I am confused about a variety of specifics, but the biggie is this: I have the 
idea that I can create one user certificate and one server (host) certificate, 
and use that for any number of users and servers on a LAN.

from man ssh:

<quote>
A variation on public key authentication is available in the form of 
certificate authentication: instead of a set of public/private keys, signed 
certificates are used.  This has the advantage that a single trusted 
certification authority can be used in place of many public/private keys.  See 
the CERTIFICATES section of ssh-keygen(1) for more information.
</quote>

That would be done by virtue of using the -n option to set the principals for 
each certificate -- the user certificate could include all the users that might 
use any client, and the server (host) certificate could include all the servers 
on the LAN.  

(Aside -- best to ignore this at least for now: I don't like calling them 
"hosts" or the name "host certificate" -- I think what they are calling a host 
is an ssh server, and a host certificate is the certificate for an ssh server 
(at least in the context of certificate authentication -- maybe in password 
authentication (for example) a host certificate comes into play for both the 
ssh client and the ssh server??)

Using multiple users or servers on one certificate:

   * would be done by using the -n option (when creating the certificate) and 
specifying multiple principals (either users or servers).  That could be done 
by either a comma separated list (of users or servers) or wildcards, or 
presumably some combination of both,

   * and, in fact, the -n option is more like a way to limit the users or 
servers that can use a certificate, the default (iiuc) is that any user can 
authenticate using the host certificate on any server using the server 
certificate.

Am I totally confused, and do you have any experience to confirm this one way 
or the other?

Thanks!

-- 
rhk

If you reply: snip, snip, and snip again; leave attributions; avoid top 
posting; and keep it "on list".  (Oxford comma included at no charge.)  If you 
change topics, change the Subject: line. 

A picture is worth a thousand words -- divide by 10 for each minute of video 
(or audio) or create a transcript and edit it to 10% of the original.

Reply to:

Follow-Ups:
- Re: ssh certificate authentication: can one user and one server certificate work for any number of users or servers on a LAN?
  - From: Dan Ritter <dsr@randomstring.org>

Prev by Date: Re: exiftool
Next by Date: Re: Installing on Rock Pi 4
Previous by thread: Re: Exim4 smarthost conf
Next by thread: Re: ssh certificate authentication: can one user and one server certificate work for any number of users or servers on a LAN?
Index(es):
- Date
- Thread