The attached Dockerfile builds an image containing OpenSSH for experimenting with SSH certificates. It creates and signs all the keys so that you don't have to set anything up on your host OS.
Build the Docker image:
docker build -t ssh-certs .
Start a container with that image running sshd:
docker run --name sshd -d --rm -p 2233:22 ssh-certs /usr/sbin/sshd -D -e
Copy the user keys and certs to your local file system to use them:
docker cp sshd:/ssh/user1 .
docker cp sshd:/ssh/user1-cert.pub .
docker cp sshd:/ssh/user2 .
docker cp sshd:/ssh/user2-cert.pub .
View logs generated by sshd:
docker logs -f sshd
Ctrl+C to stop.
In another shell, try logging in with various keys and usernames:
ssh -i user1 root@127.0.0.1 -p 2233 # no password required
ssh -i user1 user1@127.0.0.1 -p 2233 # no password required
ssh -i user1 user2@127.0.0.1 -p 2233 # requires password (user2 not in cert)
ssh -i user2 root@127.0.0.1 -p 2233 # requires password (root not in cert)
ssh -i user2 user1@127.0.0.1 -p 2233 # requires password (user1 not in cert)
ssh -i user2 user2@127.0.0.1 -p 2233 # no password required
Stop the container:
docker stop sshd