Francisco Scheid

Eeli Wiitala

@orangecat219799 · Jan 12, 2026 9:28 am

SSH Certificates and user principal logging/auditing?

Hi all,
I've been looking at SSH Certs for authentication. One of the things I'm having trouble wrapping my mind around is this idea of user to principal mapping. From my perspective it just makes auditing/logging more difficult to track.
For example:
Let's just say I have users\[1-5\] all issued SSH certificates with principal 'www' for all prod servers (or some other generic user).
If everyone logs in to the system with their 'www' principal (ssh -i \~/.ssh/my\_signed\_cert.pub www@server), there's no way to distinguish who did what on the local system. I get that there are paid and open source agent solutions that do per session auditing and tracking, but why complicate it with an extra layer?
I'd rather have a system log show up like this
* 'user x made xyz change'
* 'user y made abc change'
Rather than
* 'www made xyz change'
* 'www made abc change'
In the system log there's only a record of authentication with the serial number, so you know who logged into the system as 'www' at what time, but after that it's all a blur.
The way I see it, it's better to have a 1:1 user to principal mapping. I guess I understand that some systems only have generic user names like 'postgresql