Skip to content
Dockerized setup of SSH with a Certificate Authority and Principals configured
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

SSH Principal and CA Playground

Ever wanted to play around with SSH Principals and see how they work? This little package I put together creates a series of Docker containers which make use of Principals in SSH.


  • Clone this repo with git clone.
  • Run ./ which will do the following:
    • Create a key, a CA, and a certificate of that key signed by the CA
    • (re)build 3 Docker containers: client, server, and ca.
    • Run tests on the client container to verify that it can/cannot SSH into certain accounts on the server and ca hosts.

A successful run will end in something like this:


I said this project was a playground, and I meant it! If you'd like to play around yourself, here's how to get started:

First, attach to the client container with docker-compose exec client bash.

From there, you can try SSHing into the server or the ca containers. The server container has the users root, user1, user2, and user3, and you can SSH into any of those user accounts.

The ca container trusts the CA certificate that we created, and has principals set up. As such, you can only SSH to the root, user1, and user2 users. user3 will not work.


If you want to prove to yourself that you fully understand Principals in SSH, try some of these exercises:

  • Configure ca so you can log in as user3 on ca with the existing Principals of root, and user2.
  • Add the Principal user3 to the user key, and use it to log in as user3 on ca.
  • Replace the root Principal from the user key and add sysadmin. Configure ca so that you can log in as the root user again.


These are some helper scripts I wrote to help streamline my development:

  • ./bin/ - Kill all containers (or an existing container, if specified), remove them, (re)build them, and start them back up.
  • ./bin/ - Attach to any running container.
  • ./bin/ - Nice wrapper script for the previous two commands. :-)
  • ./bin/ - Display logs from all containers, or a single container if specified.


  • I recommend making heavy use if docker-compose logs -f ca, as status messages from sshd will be sent there. On a successful login, a message like this will appear:
    • Accepted publickey for user1 from port 34756 ssh2: ECDSA-CERT ID playground (serial 1) CA ECDSA SHA256:nR3ohRIBi2b29PgwLrqXvaO+qGlTdQBQyrI1KSHWG6k


  • Logging in as the root user in this app is for demo purposes only. DO NOT allow root logins on a production system!

External Links



My email is I am also @dmuth on Twitter and Facebook!

You can’t perform that action at this time.