HELP, I'm very confusing about Default username & Allowed user in SSH CA

Vault
1

here the situation:
my target VM host username is debian. right now I’ve to use the “debian” as Default Username and “*” as Allowed users on my certificate configuration so my client can be able to remote using that certificate from vault server.

this is the command to illustrate my certificate information:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT SHA256:CUEimEmFBg**********pAx5LiszeQhc
Signing CA: RSA SHA256:ZIKs***********/8n0ZJ2ylAv0BR+V4 (using rsa-sha2-256)
Key ID: “vault-userpass-tar-094122984985060e9********1d18be9031e4b8accde4217”
Serial: 1388643262908521501
Valid: from 2024-06-26T09:33:43 to 2024-06-26T10:04:13
Principals:
debian
Critical Options: (none)
Extensions:
permit-pty

as you can see, if i change the allowed user to my admin username e.g. tar or the roles that i’ve been set up on the policy that i assigned to my admin user entitiy as “ssh-client-signer/roles/vault_admin”. I’ve already try these 2 options instead of using “*” , and when my admin request to sign the CA this problem occured:

URL: PUT https://167.94.112.47:8200/v1/ssh-client-signer/sign/vault_admin
Code: 400. Errors:

  • debian is not a valid value for valid_principals

but think the default username is not the main problem but the problem is about the allowed user. Please clarify me about the allowed user concept in ssh vault thank you alot :slight_smile:

2

for those who confused the same problem as me.

every time that client want to request the CA cert. the full command is
"vault write -field=signed_key ssh-client-signer/sign/vault_admin public_key=@$HOME/.ssh/public-rsa.pub > ~/.ssh/public-rsa-cert.pub valid_principals=“debian”

as you can see from above the valid_principals must be the username on target host VM
and!!! your vault server admin (vault server operator) have to put “debian” to allowed user list on your CA configuration.

but you can also put “debian” to default username so when client request the cert. Now he/she no needs to type valid_principals=“debian” after the cert. request command

in summary, allowed_user is just a tools for vault server operator to set up allow username on the target host vm and default_username is just a username account on target host if the client admin did not assign any principals on the req cert. Allowed_user is come to solve log in as a root account on target host VM problem.

valid_principle == target host username on VM