Skip to content

Commit

Permalink
Document sshd.trusted_cas
Browse files Browse the repository at this point in the history 
slackhq/nebula#1098
  • Loading branch information
@johnmaguire
johnmaguire committed May 1, 2024
1 parent 30bca7b commit bb396b8
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions docs/config/sshd.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ sshd:
- user: steeeeve
keys:
- '[ssh public key string]'
trusted_cas:
- '[ssh ca public key string]'
```
See also the [Debugging with Nebula SSH commands](/docs/guides/debug-ssh-commands/) guide.
Expand Down Expand Up @@ -70,3 +72,10 @@ You can generate a host key using the `ssh-keygen` command line utility.
These options are how you create `users` for the debug ssh daemon. Password authentication for the ssh debug console is
NOT supported.
# sshd.trusted_cas
As an alternative to (or in addition to) `authorized_users`, you may define a list of trusted SSH CA public keys. Any
SSH certificate signed by a trusted CA will be granted access to the SSH debug server. If an SSH certificate contains
at least one principal, then the username provided when connecting to the server must match at least one principal. If
no principals are defined in the certificate, any username can be used.

0 comments on commit bb396b8

Please sign in to comment.