diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index a5af5c129..37624ab67 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -191,6 +191,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { return false } + if cert.CertType != gossh.UserCert { + log.Warn("Certificate Rejected: Not a user certificate") + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) + return false + } + // look for the exact principal principalLoop: for _, principal := range cert.ValidPrincipals {