iBug

Asked: 2019-09-24 01:59:21 +0800 CST2019-09-24 01:59:21 +0800 CST 2019-09-24 01:59:21 +0800 CST

SSH CA sign catch-all username

I have a private SSH CA that manages my servers (well I have quite a few of them). All my servers are configured to trust this CA in this way:

TrustedUserCAKeys /etc/ssh/iBug-CA.pub

These servers run a variety of OS's and have different usernames (like root, ubuntu, debian, admin, ibug etc.). I have a "central" server that I'd like to grant access to an arbitrary username on an arbitrary server, so I signed its user key with this command.

ssh-keygen -s ibug_ca.pem -I iBug-Central -n \* id_rsa.pub

But the signed certificate (id_rsa-cert.pub) can't log in any server, so I had to sign another certificate like this

ssh-keygen -s ibug_ca.pem -I iBug-Central -n root,ubuntu,debian,ibug,admin id_rsa.pub

The new id_rsa-cert.pub can log in to any server with one of the listed usernames, but it can't log in with an unlisted username (e.g. adm).

Is there a way to sign a certificate for a catch-all name? I tried omitting the -n option of ssh-keygen and it didn't work, either.

SSH CA sign catch-all username

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

SSH CA sign catch-all username

0 Answers