Certificate based authentication

[antong]

I propose to add certificate based authentication in addition to the current simple "public key" -> "username" authentication scheme (authkeys):

• Add a number of trusted CA certificates to the configuration.
• Use the subject name in the user certs to directly map to the sshmuxd user name.

This would have the benefit of not having to touch the authkeys when adding new users. Also, certificates have a validity time, which improves security and makes some maintenance processes easier. For example, you can issue a two week certificate to a user that needs access for a shorter task without having to worry about forgetting to remove the user when the job is done.

Bonus point: It could be worthwhile also using the certificate for authorization. For example, in addition to listing the users under a destination host, one could list CA certificates. Users with certificates issued by a CA on the authorized list would have access to the destination. This allows delegating adding users and users could be added without touching the jumphost configuration at all.

[kennylevinsen]

A valid request. I just direct public key authentication for now, as it's by far the most common, and easiest, authentication scheme.

I'll have to think about the exact integration, though.

[42wim]

I needed this use-case too, so I've added support for this (and some extra stuff) on my fork (https://github.com/42wim/sshmuxd)
If you're interested in a PR @kennylevinsen let me know.