You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With Signed SSH Certificates it would be good to accept certificate_identity when signing SSH keys. This makes reading logs much easier to identify who logged in
Sep 26 02:38:25 ops-vault1-2-sfo sshd[16072]: Accepted publickey for root from 192.168.1.185 port 50550 ssh2: RSA-CERT ID vault-root-4f7a555f4e11243c0951a208f5cda4d2e8bbbddfffdcf12e1744144577bc5b28 (serial 5524078550575389286) CA RSA SHA256:M8aK9I71gPPKjM20o3nrAcYokUsfLQz2xlTdCstJ1Ig
Sep 26 02:38:25 ops-vault1-2-sfo sshd[16072]: pam_unix(sshd:session): session opened for user root by (uid=0)
Reading vault-root-4f7a555f4e11243c0951a208f5cda4d2e8bbbddfffdcf12e1744144577bc5b28 isn't clear who logged in. The ssh-keygen supports the -I flag which allows you to specify an identify.
The text was updated successfully, but these errors were encountered:
@vishalnayak so looking through the source I found the option allow_user_key_ids. Setting this to true allows you to inject usernames which makes it easy to identify who logged in with what certificate
Then when SSHing into a host you can see the key_id which is alot easier to identify
Sep 26 16:26:40 localhost sshd[1185]: Accepted publickey for root from 192.168.99.1 port 53438 ssh2: RSA-CERT ID damian (serial 1891934964527850342) CA RSA SHA256:00tgDa0i//gT0aYpNlTfrBr/z8Xk/xeViropxrWdLYE
Feature Request:
With
Signed SSH Certificates
it would be good to acceptcertificate_identity
when signing SSH keys. This makes reading logs much easier to identify who logged inReading
vault-root-4f7a555f4e11243c0951a208f5cda4d2e8bbbddfffdcf12e1744144577bc5b28
isn't clear who logged in. Thessh-keygen
supports the-I
flag which allows you to specify an identify.The text was updated successfully, but these errors were encountered: