[SPAM] PKI and SSH (cont.)

Roumen Petrov openssh at roumenpetrov.info
Thu Mar 3 01:06:24 EST 2005


Hi Ben,

For PKI support in OpenSSH, patches and etc., please visit my page
http://roumenpetrov.info/openssh/ .


> Dear List...
>
> I have a similar question to the one that is copied below.  I
> am trying to get instructions for configuring OpenSSH to use PKI
> based authentication.
>
> I understand that I can provide the server with the public keys
> of the client machines to get this working (one way) but the next
> step is where I would like to go...
>
> I want SSHD to authenticate my users based upon the "Root
> Certificate" of "My" PKI.  (Say I set it up using: "CA.pl"
> http://www.openssl.org/docs/apps/CA.pl.html)
>
> If the client attempting to authenticate presents a certificate
> that has been:
>
> 1. signed by My_Root_CA
> 2. is not expired
> 3. is not revoked
>
> then SSHD will proceed with the authentication of the client.
>
> If the "client user" gets Public/private keys + certificate from
> some other CA (like DigSigTrust.com or Versign.com) the SSHD will
> NOT authenticate because the certificate used was not signed by:
> My_Root_CA"
>
> Can OpenSSH do this??


After patch yes ;-).


>
> If not,  I do not want the client user to be able to install his own
> public keys.  Can I put a list of accepted public keys somewhere else
> (like: /etc/ssh/authorized_keys) or do I have to put them in each
> users home directory and make the ~/.ssh/authorized_keys only
> writable by root?


It is discused many times in the lists.


>
> Please CC: me on the reply because I am not subscribed to this list.
>
> Thanks in advance for your reply.
> Ben Hacker Jr
>
> -----Original Message-----
> From: openssh-unix-dev-bounces+libove=felines.org at mindrot.org
> [mailto:openssh-unix-dev-bounces+libove=felines.org at mindrot.org] On
> Behalf Of Gregory Seidman
> Sent: Monday, February 23, 2004 5:23 PM
> To: OpenSSH development list
> Subject: PKI and SSH
>
> Due to unpleasant (but arguably valid) policy changes at work, any SSH
> server within the work firewall must accept only PKI authentication.
> Unless we can convince the higher-ups otherwise, we will also have to
> use the commercial SSH server within the firewall. Of course, I should
> be able to use whatever client I like. Unfortunately, it is not clear
> that I can get OpenSSH to use PKI authentication. A bit of googling
> turns up a patch, but nothing too certain or clear. Does OpenSSH support
> PKI authentication? If so, how do I use it?
>
> --Greg
>
>
> --
> Ben Hacker, Jr.
>  Sr. Security Analyst
>    strbenjr at yahoo.com
>    ben_hacker at inter-op.net
>  703.751.3757 (w)
> -- -- --
> http://www.coeba.org
> http://www.inter-op.net
> http://www.hackerweb.net/bthacker
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list