PKI and SSH (cont.)

Wed Mar 2 13:55:35 EST 2005

Dear List...

I have a similar question to the one that is copied below.  I 
am trying to get instructions for configuring OpenSSH to use PKI 
based authentication.  

I understand that I can provide the server with the public keys 
of the client machines to get this working (one way) but the next 
step is where I would like to go...

I want SSHD to authenticate my users based upon the "Root 
Certificate" of "My" PKI.  (Say I set it up using: "CA.pl" 
http://www.openssl.org/docs/apps/CA.pl.html)

If the client attempting to authenticate presents a certificate 
that has been: 

1. signed by My_Root_CA
2. is not expired
3. is not revoked

then SSHD will proceed with the authentication of the client.

If the "client user" gets Public/private keys + certificate from 
some other CA (like DigSigTrust.com or Versign.com) the SSHD will 
NOT authenticate because the certificate used was not signed by: 
My_Root_CA"

Can OpenSSH do this??

If not,  I do not want the client user to be able to install his own 
public keys.  Can I put a list of accepted public keys somewhere else 
(like: /etc/ssh/authorized_keys) or do I have to put them in each 
users home directory and make the ~/.ssh/authorized_keys only 
writable by root?

Please CC: me on the reply because I am not subscribed to this list.  

Thanks in advance for your reply.
Ben Hacker Jr

-----Original Message-----
From: openssh-unix-dev-bounces+libove=felines.org at mindrot.org
[mailto:openssh-unix-dev-bounces+libove=felines.org at mindrot.org] On
Behalf Of Gregory Seidman
Sent: Monday, February 23, 2004 5:23 PM
To: OpenSSH development list
Subject: PKI and SSH

Due to unpleasant (but arguably valid) policy changes at work, any SSH
server within the work firewall must accept only PKI authentication.
Unless we can convince the higher-ups otherwise, we will also have to
use the commercial SSH server within the firewall. Of course, I should
be able to use whatever client I like. Unfortunately, it is not clear
that I can get OpenSSH to use PKI authentication. A bit of googling
turns up a patch, but nothing too certain or clear. Does OpenSSH support
PKI authentication? If so, how do I use it?

--Greg

-- 
Ben Hacker, Jr.
 Sr. Security Analyst
   strbenjr at yahoo.com
   ben_hacker at inter-op.net
 703.751.3757 (w)
-- -- --
http://www.coeba.org
http://www.inter-op.net
http://www.hackerweb.net/bthacker