x509v3-sign-rsa authentication type...

Roumen Petrov openssh at roumenpetrov.info
Fri May 9 18:24:53 EST 2003

  Kevin Stefanik wrote:

>On Thursday 08 May 2003 02:05 pm, Markus Friedl wrote:
>>On Thu, Apr 24, 2003 at 01:48:55PM -0400, Kevin Stefanik wrote:
>>>I've seen a variety of patches on the list for supporting the x509v3
>>>certificate authentication.   Are there any plans to include any of these
>>>in the official openssh?
>>perhaps a simpler version.
>I've been using Rouen's patch, quite happily, for a couple of weeks now.  The 
>simpler patches didn't seem to be as full, e.g., lacking CRLs.  From what I 
>saw, most of the complexity was in the x509 store.  The actual changes to 
>openssh code didn't seem extreme. Or were they?
>Would splitting out the x509 store somehow help?  Maybe there's a way to split 
>the patch out into more digestible parts?
It is possible to remove x509 store, i.e. to split patch, but
1.) this make order of applying patches very important.
2.) X509 cert. support (versions from 'b' to 'd') contain a pointer to 
function x509store_check(), i.e. when pointer is NULL don't verify cert. 
A program (sshd/ssh) should set this pointer. Take note when pointer is 
NULL this is BUG: when user authorized_keys/known_hosts files contain a 
cert. in blob format it is possible to skip cert. verification, but when 
authorized_keys/known_hosts contain DN (Distinguished Name) we should 
verify sent user/server certificate. Version after "d" call always 

In conclusion without x509 store we can put a cert. in 
authorized_keys/known_hosts only in blob format, with x509 store we can 
use both (blob and DN).

More information about the openssh-unix-dev mailing list