X.509 support in ssh (revisited)
Rex Buddenberg
budden at nps.navy.mil
Thu Jan 24 06:24:01 EST 2002
>I only need to protect the
> > home-brew-CA private key. That is workable in my environment, and the
>> reward seems worth the effort. Anyone else think it would be worth it?
>
>I think so. Having all your hostkeys signed by a central authority (like
>an OpenSSL generated key) should be fine. There's no reason you have to
>pay a Certificate Authority to do it.
If this is the limit of scope to your application, by all means keep it simple.
>
>You could do something like GnuPG and sign all the keys by a single key
>(treating it like a CA), if OpenSSH can have a hook to use GnuPG keys.
> As a
>university employee, we look for solutions that are very cost-effective
>(especially if they don't cost anything :).
Scope limitation: you can do this for secure comms but only for the
accounts you manage -- your students, faculty and staff. It won't
work for your supply department trying to buy copier toner from an
outside vendor because that vendor won't be on the same key tree.
--
b
More information about the openssh-unix-dev
mailing list