X.509 support in ssh (revisited)

[Nicolas Williams]

On Wed, Jan 23, 2002 at 10:31:38AM -0600, mouring at etoh.eviladmin.org wrote:
> 
> 
> 
> On Wed, 23 Jan 2002, Donald van de Weyer wrote:
> 
> > mouring at etoh.eviladmin.org writes:
> >
> > > As far as I'm aware of there is no such thing as --with-x509 for OpenSSH
> > > unless that article was suppose to come with a patch to OpenSSH.
> >
> > I would suppose that is what is in that 400K tarball. I didn't look however
> > ...
> >
> Wow..I hope that is the whole OpenSSH source in that tarball.  Because
> that is larger than OpenSSH 3.0.2p1 portable code compressed!

The tarball's not there to be found...

> Does X.509 really make sense with SSH?  I mean you are still not going to
> get Verisigned licenses and even that you are putting your trust in a 3rd
> party certificate which has no real bearing on the trust of the machine in
> question.

X.509, like GSS-API w/ Kerberos or GSI, solve the problem of known host
key distribution.

Also, I have a patch to OpenSSH 3.0.2p1 that allows the use of names in
authorized_keys entries, krb4, krb5 and GSI names, and with X.509
support, if OpenSSH had it, certificate names. This functionality is
more general than the traditional .klogin and .k5login authorization
checks and it solves the problem of having to update authorized_keys
whenever you re-key.

So I can have auth_keys entries like:

ssh-named:krb5 myusername at MYREALM
ssh-named:krb5 myusername/admin at MYREALM

And:

ssh-name-pat:krb5 */superroot at MYREALM


>  - Ben


Cheers,

Nico
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.