I have short-lived certificates working in my environment. In sshd_config, I’m using an AuthorizedPrincipalsFile directive to allow users to ssh into shared accounts (e.g. [email_username]@[email_domain] can log in to [shared_ssh_username] where [email_username] is different than [shared_ssh_username]).
From the command line client, this works great. A user can invoke “ssh [shared_ssh_username]@[hostname]” and the process seamlessly uses [email_username] in the short lived certificate.
But when i try to do the same thing from a web browser ssh terminal, the only options are to provide a password or a public key for [shared_ssh_username].
The current workflow on the ssh web ui is:
- attempt to log in to the ssh server using username [email_username] and a short lived certificate
- if it doesn’t work, then prompt for a username
- ask for a password or a key file.
Presumably the workflow should be:
- Prompt for a username
- attempt to log in to the ssh server using the username provided in #1 and a short lived certificate
- if it doesn’t work, then ask for a password or a key file.