Supporting SSH CAs for access to EMU user namespace repositories [GA] (#49606)

Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>

content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md

@@ -71,7 +71,7 @@ Before you require use of two-factor authentication, we recommend notifying orga
 
 ## Managing SSH certificate authorities for your enterprise
 
-You can use a SSH certificate authorities (CA) to allow members of any organization owned by your enterprise to access that organization's repositories using SSH certificates you provide. {% data reusables.organizations.can-require-ssh-cert %} For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)."
+You can use a SSH certificate authority (CA) to allow members of any organization owned by your enterprise to access that organization's repositories using SSH certificates you provide. {% ifversion ssh-user-ca %}{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, enterprise{% elsif ghes %}Enterprise{% endif %} members can also be allowed to use the certificate to access personally-owned repositories.{% endif %} {% data reusables.organizations.can-require-ssh-cert %} For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)."
 
 {% data reusables.organizations.add-extension-to-cert %}
 
@@ -87,6 +87,18 @@ If you require SSH certificates for your enterprise, enterprise members should u
 {% data reusables.organizations.new-ssh-ca %}
 {% data reusables.organizations.require-ssh-cert %}
 
+{% ifversion ssh-user-ca %}
+
+### Managing access to user-owned repositories
+
+You can enable or disable access to user-owned repositories with an SSH certificate{% ifversion ghec %} if your enterprise uses {% data variables.enterprise.prodname_managed_users %}. However, if your enterprise uses personal accounts on {% data variables.product.prodname_dotcom_the_website %} members cannot use the certificate to access personally-owned repositories{% endif %}.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "SSH Certificate Authorities", select the **Access User Owned Repository** checkbox.
+{% endif %}
+
 ### Deleting an SSH certificate authority
 
 Deleting a CA cannot be undone. If you want to use the same CA in the future, you'll need to upload the CA again.
@@ -95,6 +107,7 @@ Deleting a CA cannot be undone. If you want to use the same CA in the future, yo
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}
 {% data reusables.organizations.delete-ssh-ca %}
+
 {% ifversion ssh-ca-expires %}
 
 ## Upgrading an SSH certificate authority

content/authentication/connecting-to-github-with-ssh/about-ssh.md

@@ -29,8 +29,11 @@ If you haven't used your SSH key for a year, then {% data variables.product.prod
 
 {% ifversion fpt %}
 Organizations that use {% data variables.product.prodname_ghe_cloud %} can provide SSH certificates, which members can use to access that organization's repositories without adding the certificate to their account on {% data variables.product.product_name %}. If you're using an SSH certificate, you cannot use the certificate to access forks of the organization's repositories, if the fork is owned by your personal account. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
+
 {% else ghec or ghes %}
-If you're a member of an organization that provides SSH certificates, you can use your certificate to access that organization's repositories without adding the certificate to your account on {% data variables.product.product_name %}. You cannot use your certificate to access forks of the organization's repositories, if the forks is owned by your personal account. For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)."
+Organizations that use {% data variables.product.prodname_ghe_cloud %} can provide SSH certificates, which members can use to access that organization's repositories without adding the certificate to their account on {% data variables.product.prodname_dotcom %}.
+
+{% ifversion ghec %}{% data reusables.emus.ssh-ca-support-for-emu %}{% endif %}
 {% endif %}
 
 ## Further reading

content/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities.md

@@ -19,7 +19,13 @@ An SSH certificate is a mechanism for one SSH key to sign another SSH key. If yo
 
 {% data reusables.organizations.ssh-ca-ghec-only %}
 
-After you add an SSH CA to your organization or enterprise account, you can use the CA to sign client SSH certificates for organization members. Organization members can use the signed certificates to access your organization's repositories (and only your organization's repositories) with Git. Optionally, you can require that members use SSH certificates to access organization resources. For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities)" and "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
+After you add an SSH CA to your organization or enterprise account, you can use the CA to sign client SSH certificates for organization members. Organization members can use the signed certificates to access that organization's repositories.
+
+Certificates added to your enterprise grant access to all organizations owned by your enterprise account. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
+
+{% data reusables.organizations.can-require-ssh-cert %}
+
+Optionally, you can require that members use SSH certificates to access organization resources. For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities)" and "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
 
 For example, you can build an internal system that issues a new certificate to your developers every morning. Each developer can use their daily certificate to work on your organization's repositories on {% data variables.product.product_name %}. At the end of the day, the certificate can automatically expire, protecting your repositories if the certificate is later compromised.
 
@@ -29,7 +35,7 @@ Organization members can use their signed certificates for authentication even i
 Unless you make SSH certificates a requirement, organization members can continue to use other means of authentication to access your organization's resources with Git, including their username and password, {% data variables.product.pat_generic %}s, and their own SSH keys.
 {% endif %}
 
-Members will not be able to use their certificates to access forks of your repositories that are owned by their personal accounts.
+{% data reusables.emus.ssh-ca-support-for-emu %}
 
 ## About SSH URLs with SSH certificates
 

data/features/ssh-user-ca.yml

@@ -0,0 +1,5 @@
+# Reference: https://github.com/github/docs-content/issues/13535
+# SSH CA support for access to EMU namespace repos
+versions:
+  ghec: '*'
+  ghes: '>= 3.14'

data/reusables/emus/ssh-ca-support-for-emu.md

@@ -0,0 +1 @@
+Members cannot use the certificate to access forks of the organization's repositories, unless the enterprise has allowed SSH CAs to access user owned repositories. For more information, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities).