X.509 support in ssh (revisited)

Ed Phillips ed at UDel.Edu
Thu Jan 24 04:57:24 EST 2002 

On Wed, 23 Jan 2002, Markus Friedl wrote:

> Date: Wed, 23 Jan 2002 17:42:46 +0100
> From: Markus Friedl <markus at openbsd.org>
> To: mouring at etoh.eviladmin.org
> Cc: Donald van de Weyer <donald at demag.rwth-aachen.de>,
>      Thanos Siaperas <thanus at ccf.auth.gr>, openssh-unix-dev at mindrot.org,
>      secureshell at securityfocus.com
> Subject: Re: X.509 support in ssh (revisited)
>
> On Wed, Jan 23, 2002 at 10:31:38AM -0600, mouring at etoh.eviladmin.org wrote:
> > Does X.509 really make sense with SSH?  I mean you are still not going to
> > get Verisigned licenses and even that you are putting your trust in a 3rd
> > party certificate which has no real bearing on the trust of the machine in
> > question.
>
> well it could make hostkey management simpler, but i see
> no difference between people clicking on
> 	"continue, i don't care about this hostkey"

Okay... maybe someone has upgrade OpenSSH on the system and generated a
new hostkey.  How can you tell?

> and
> 	"continue, i don't care about the certificate for this hostkey"

The kicker is that if you manage the systems, you shouldn't see this
message because the client will know which CA(s) your client should trust
in on certs for sshd servers you want to connect to.  If you see this
message when certs are in play, then something is likely wrong.

I would think that the benefit here is that if your client is configured
to trust only certain signers, then Joe Hacker can't play
man-in-the-middle during the "should I accept this hostkey" question,
because Joe Hacker shouldn't have the private key for the CA you trust.

Isn't that an improvement?

I could envision that when generating a hostkey, you take extra steps to
sign it with your CA key, then you install OpenSSH with an extra file
containing a list of trusted signers.  Maybe I'm extrapolating too much
on the features implemented in the original "--with-x509" feature that was
posted?

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list