diff --git a/server/signer/signer.go b/server/signer/signer.go
index 2a15849d6e409dea9a4c85cb799ca8ee04e5575a..00eab60827eba78a285c3c84ece2cfeb63a6ffac 100644
--- a/server/signer/signer.go
+++ b/server/signer/signer.go
@@ -10,6 +10,7 @@ import (
 	"go4.org/wkfs"
 	_ "go4.org/wkfs/gcs" // Register "/gcs/" as a wkfs.
 
+	"github.com/delicb/gstring"
 	"github.com/nsheridan/cashier/lib"
 	"github.com/nsheridan/cashier/server/config"
 	"github.com/nsheridan/cashier/server/store"
@@ -38,7 +39,8 @@ type KeySigner struct {
 func (s *KeySigner) setPermissions(cert *ssh.Certificate) {
 	cert.CriticalOptions = make(map[string]string)
 	cert.Extensions = make(map[string]string)
-	for _, perm := range s.permissions {
+	for _, p := range s.permissions {
+		perm := gstring.Sprintm(p, map[string]interface{}{"user": cert.ValidPrincipals[0]})
 		if strings.Contains(perm, "=") {
 			opt := strings.Split(perm, "=")
 			cert.CriticalOptions[strings.TrimSpace(opt[0])] = strings.TrimSpace(opt[1])