X.509 support in ssh via PAM?
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Thu Jan 24 07:16:37 EST 2002
On Wed, 23 Jan 2002, Peter Watkins wrote:
> On Wed, Jan 23, 2002 at 10:21:39AM -0800, Anne Carasik wrote:
>
> > I don't remember who said this, as this was a while back. All I remember
> > is the PKI thingy, and everyone was trying to do something with it.
> >
> > From a sysadmin standpoint, I'd like to be able to manage user keys with
> > PKI.
> >
> > You can probably do that with PAM, right?
>
> Maybe halfway, if that, right? Most of us, I'd wager, are more concerned
> about managing/certifying host keys, so a client knows[0] the sshd is
> legit, that there's no MITM attack going on. And all the PAM hooks right
> now are in the sshd code, so PAM wouldn't come into play here. Is PAM
> usable, or appropriate, for use on the *client* side, for verifying the
> key presented by the sshd?
>
I think PAM support of PKI would be a shoe horning at best.
> PAM could be useful for the other way around. If the sshd were told to
> treat "sshpeer.example.com" as a trusted host, then sshd would need a way
> of verifying the key presented by the client. Clearly PAM might work there,
> if such a PAM module were to exist.
>
> But since OpenSSH already uses OpenSSL, wouldn't it make more sense just to
> leverage the OpenSSL code instead?
>
I think OpenSSL's x.509 support would be better since it lends itself to
be more portable when everything is said and done.
> -Peter
>
> [0] not Ben's client, but those of us who might enable PKI :-)
>
<grin> For those who want to trust me.. I'd be happy to issue 'EvilAdmin'
certified keys. And manage them for only $30 a month for the rest of your
life. It would help offset my need to buy Sparc servers that I acquired
in the last year.
- Ben
More information about the openssh-unix-dev
mailing list