X.509 support in ssh (revisited)

Stephanie Thomas steph at ssh.com
Thu Jan 24 05:51:18 EST 2002


Actually, Thanos, the certificate support in SSH Secure Shell is not just
for SSH Certifier - we've done interop testing with several CA vendors.  And
most CAs are supported through the importing of DER encoded binary X.509
(.CER) or Cryptographic Message Syntax Standard - PKCS #7 Certificates
(.P7B) certificates (see RSA guide below for example of this).  SSH Secure
Shell has even been certified (please excuse the pun ;) to work with RSA
Keon:

http://www.rsasecurity.com/support/guides/keonca_pdfs/SSH_Secure_Shell_KCA.p
df

You can perform certificate testing using SSH Certifier at this site:

http://www.ssh.com/tech/pki/

And you can find information about supported hardware tokens here:

http://www.ssh.com/products/ssh/interoperability.cfm

If you have specific questions about SSH Secure Shell and PKI and are
evaluating, please submit your questions using our Support Request Form
here:

http://www.ssh.com/support/ssh/pre-sales_support.cfm

Cheers,

Steph

****************************
Stephanie Thomas
SSH Secure Shell
SSH Communications Security
Technical Support Specialist
GIAC Certified
Unix Security Administrator
****************************

-----Original Message-----
From: Anne Carasik [mailto:gator at cacr.caltech.edu]
Sent: Wednesday, January 23, 2002 8:46 AM
To: Thanos Siaperas
Cc: openssh-unix-dev at mindrot.org; secureshell at securityfocus.com
Subject: Re: X.509 support in ssh (revisited)


On Wed, Jan 23, 2002 at 04:46:43PM +0200, Thanos Siaperas wrote:
[deletia]
>  * X.509 certificate support for authentication. As used in the likes of
>  stunnel, mod_ssl etc for client auth.
>
>  * Directory based (LDAP) key lookup. Either for X.509 public certs or
>  standard ssh public key.
[deletia]
> We are considering upgrading our ssh infrastructure, from the previous
> one (f-secure)
> to OpenSSH or ssh.com's SSH.
> ssh.com' SSH supports certificate authentication in their commercial
> version.

Ok, right. With the many certificate vendors out there, I'd find out
who exactly they do support.

Last time I checked, X.509 support was only for SSH own CA (Certifier).

Last I heard (and it's been a while), OpenSSH is supposed to have some
spki support, but I'm not sure when it's going to be implemented.

-Anne
--
              .-"".__."``".   Anne Carasik, sysadmin, gator at cacr.caltech.edu
 .-.--. _...' (/)   (/)   ``'      Don't insult the alligator till after you
(O/ O) \-'      ` -="""=.    ',                  cross the river. -unknown
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~


---------------------------------------------------------------------
To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com
For additional commands, e-mail: secureshell-help at securityfocus.com




More information about the openssh-unix-dev mailing list