Verified for lunar and jammy: # lxc launch ubuntu:jammy test-openssh-lunar # lxc exec test-openssh-lunar bash # cat </etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe EOF # apt update && apt dist-upgrade -y # mkdir reproducer # cd reproducer # mkdir certuser keyonlyuser # cd keyonlyuser # ssh-keygen -t ed25519 -f key Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in key Your public key has been saved in key.pub ... # cd ../certuser/ # ssh-keygen -t rsa -f ca Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ca Your public key has been saved in ca.pub # ssh-keygen -t ed25519 -f key Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in key Your public key has been saved in key.pub # ssh-keygen -s ca -I key_id -n certuser key.pub Signed user key key-cert.pub: id "key_id" serial 0 for certuser valid forever # cd .. # cat <authorized_principals #!/bin/sh if [ "$1" = "otheruser" ]; then echo certuser fi EOF # chmod 755 authorized_principals # adduser --disabled-password otheruser Adding user `otheruser' ... Adding new group `otheruser' (1001) ... Adding new user `otheruser' (1001) with group `otheruser' ... Creating home directory `/home/otheruser' ... Copying files from `/etc/skel' ... Changing the user information for otheruser Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y # adduser --disabled-password keyonlyuser Adding user `keyonlyuser' ... Adding new group `keyonlyuser' (1002) ... Adding new user `keyonlyuser' (1002) with group `keyonlyuser' ... Creating home directory `/home/keyonlyuser' ... Copying files from `/etc/skel' ... Changing the user information for keyonlyuser Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y # cat <authorized_keys #!/bin/sh if [ "$1" = "keyonlyuser" ]; then echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbBpE1TDzG48CLKI6bWQbIE87ke4ZJmgFQ0LFnYyikT root@test-openssh-lunar" fi EOF # chmod 755 authorized_keys # vi /etc/ssh/sshd_config i AuthorizedKeysCommand /root/reproducer/authorized_keys %u AuthorizedKeysCommandUser root AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root TrustedUserCAKeys /root/reproducer/certuser/ca.pub [esc] :wq # systemctl restart ssh # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key The authenticity of host 'localhost (127.0.0.1)' can't be established. ED25519 key fingerprint is SHA256:hCVcIK0Q/jBlQqqyEAcGnxgXnd46/kaT7j+78BobN2E. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'localhost' (ED25519) to the list of known hosts. Welcome to Ubuntu 23.04 (GNU/Linux 5.15.0-83-generic x86_64) ... $ exit # ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub Welcome to Ubuntu 23.04 (GNU/Linux 5.15.0-83-generic x86_64) # lxc launch ubuntu:jammy test-openssh-jammy # lxc exec test-openssh-jammy bash # cat </etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe EOF # apt update && apt dist-upgrade -y # mkdir reproducer # cd reproducer # mkdir certuser keyonlyuser # cd keyonlyuser # ssh-keygen -t ed25519 -f key Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in key Your public key has been saved in key.pub ... # cd ../certuser/ # ssh-keygen -t rsa -f ca Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ca Your public key has been saved in ca.pub # ssh-keygen -t ed25519 -f key Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in key Your public key has been saved in key.pub # ssh-keygen -s ca -I key_id -n certuser key.pub Signed user key key-cert.pub: id "key_id" serial 0 for certuser valid forever # cd .. # cat <authorized_principals #!/bin/sh if [ "$1" = "otheruser" ]; then echo certuser fi EOF # chmod 755 authorized_principals # adduser --disabled-password otheruser Adding user `otheruser' ... Adding new group `otheruser' (1001) ... Adding new user `otheruser' (1001) with group `otheruser' ... Creating home directory `/home/otheruser' ... Copying files from `/etc/skel' ... Changing the user information for otheruser Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y # adduser --disabled-password keyonlyuser Adding user `keyonlyuser' ... Adding new group `keyonlyuser' (1002) ... Adding new user `keyonlyuser' (1002) with group `keyonlyuser' ... Creating home directory `/home/keyonlyuser' ... Copying files from `/etc/skel' ... Changing the user information for keyonlyuser Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y # cat <authorized_keys #!/bin/sh if [ "$1" = "keyonlyuser" ]; then echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVm2xIPfP0Nm2blQVErar4K9iOFUVFSpVxyZhQIkTl4 root@test-openssh-jammy" fi EOF # chmod 755 authorized_keys # vi /etc/ssh/sshd_config i AuthorizedKeysCommand /root/reproducer/authorized_keys %u AuthorizedKeysCommandUser root AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u AuthorizedPrincipalsCommandUser root TrustedUserCAKeys /root/reproducer/certuser/ca.pub [esc] :wq # systemctl restart ssh # ssh keyonlyuser@localhost -i /root/reproducer/keyonlyuser/key The authenticity of host 'localhost (127.0.0.1)' can't be established. ED25519 key fingerprint is SHA256:4NFSX3Jx8X4+jOzo2xDnMcJy5lGJvTVnOupp9UAQ3J4. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'localhost' (ED25519) to the list of known hosts. Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-83-generic x86_64) ... $ exit # ssh otheruser@localhost -i /root/reproducer/certuser/key -o CertificateFile=/root/reproducer/certuser/key-cert.pub Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-83-generic x86_64)