OpenSSH Certkey (PKI)

Wolfgang S. Rupprecht wolfgang+gnus200611 at
Thu Nov 16 11:53:55 EST 2006

Daniel Hartmeier <daniel at> writes:
> This patch against OpenBSD -current adds a simple form of PKI to
> OpenSSH. We'll be using it at work.

Sounds like something that was needed for a while.

> +A host certificate is a guarantee made by the CA that a host public key is
> +valid. When a host public key carries a valid certificate, the client can
> +use the host public key without asking the user to confirm the fingerprint
> +manually and through out-of-band communication the first time. The CA takes
> +the responsibility of verifying host keys, and users do no longer need to
> +maintain known_hosts files of their own.

This confuses the whole authentication vs. authorization concepts.

authentication - "May I please see your drivers license?"

authorization - "That's a valid license but I don't see your name on
                 the list to go in."

I would hate to have my ssh allow anyone in just because we used the
same CA.  I still see the authorized_keys file as having a very
important role even if the first layer defense is to check if the
certificate is signed by a CA I trust.

> +The CA, specifically the holder of the CA private key (and its password, if it
> +is password encrypted), holds broad control over hosts and user accounts set
> +up in this way. Should the CA private key become compromised, all user
> +accounts become compromised.
> +
> +There is no way to revoke a certificate once it has been published, the
> +certificate is valid until it reaches the expiry date set by the CA.

This fix is in the bag once authorized_keys gets consulted even for

Wolfgang S. Rupprecht      

More information about the openssh-unix-dev mailing list