[Bug 2436] New: Add ssh option to present certificates on command line

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jul 31 03:41:34 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2436

            Bug ID: 2436
           Summary: Add ssh option to present certificates on command line
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mebhat at akamai.com

Created attachment 2679
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2679&action=edit
[PATCH] Add ssh -z option to present certificates on command line

Currently, it is difficult for users to manage having multiple
certificates for a single key pair. One of the easiest ways to manage
the certificates is to have a copy of the key pair for every
certificate. Some of these concerns were brought up in the following
thread:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-September/031629.html
The goal of this patch is to make it easier for users to handle
presenting specific certificates during ssh.

With this patch, users may specify one or more certificates to be used
for authentication on the command line with the '-z' argument when
running ssh. A user may also include a specific certificate in the
ssh_config file as a CertificateFile.

For successful authentication, the key pair associated with the
certificate must also be presented during the ssh. This key pair may be
loaded in a currently-running ssh agent, for example, or provided as an
identity file on the command line. Since the specified certificates can
be used in combination with keys pairs in the agent, users can avoid
having to enter a passphrase before using a certificate.

The code for this patch is closely modeled after that of identity
files. However, there are some differences to account for making sure
the loaded file is a certificate, as well as identifying which key pair
is associated with the certificate.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list