Allow use of SSH certificates

Problem to solve

Our self-managed GitLab instance (v16.9) is configured to use fast ssh key lookup with OpenSSH as documented at Fast lookup of authorized SSH keys in the database | GitLab. Now we want to add support to use SSH certificates via OpenSSH’s AuthorizedPrincipalsCommand

The “Key ID” in our ssh certs are not a plain username, but something like “vault-oid--xxxxxxxxx”. So a custom script has been written for the AuthorizedPrincipalsCommand -command that extracts the username from the key id and writes the same output as the default gitlab-shell-authorized-principals-check command.

When adding the AuthorizedPrincipalsCommand to the sshd_config as documented at User lookup via OpenSSH's AuthorizedPrincipalsCommand | GitLab (in addition to the AuthorizedKeysCommand ), our ssh certificates are not accepted. They give the error “error: Certificate invalid: name is not a listed principal” in the sshd log.

Although, when removing the AuthorizedKeysCommand the ssh certificates are accepted. I seems that using both AuthorizedKeysCommand and AuthorizedPrincipalsCommand together doesn’t work, but each work on there own.

What can we do to make this work?

Solved: Seems that the order of the AuthorizedPrincipalsCommand and AuthorizedKeysCommand settings in sshd_config matter. AuthorizedPrincipalsCommand must be set before AuthorizedKeysCommand.