OpenSSH Certkey (PKI)
Wolfgang S. Rupprecht
wolfgang+gnus200611 at dailyplanet.dontspam.wsrcc.com
Thu Nov 16 11:53:55 EST 2006
Daniel Hartmeier <daniel at benzedrine.cx> writes:
> This patch against OpenBSD -current adds a simple form of PKI to
> OpenSSH. We'll be using it at work.
Sounds like something that was needed for a while.
> +A host certificate is a guarantee made by the CA that a host public key is
> +valid. When a host public key carries a valid certificate, the client can
> +use the host public key without asking the user to confirm the fingerprint
> +manually and through out-of-band communication the first time. The CA takes
> +the responsibility of verifying host keys, and users do no longer need to
> +maintain known_hosts files of their own.
This confuses the whole authentication vs. authorization concepts.
authentication - "May I please see your drivers license?"
authorization - "That's a valid license but I don't see your name on
the list to go in."
I would hate to have my ssh allow anyone in just because we used the
same CA. I still see the authorized_keys file as having a very
important role even if the first layer defense is to check if the
certificate is signed by a CA I trust.
> +The CA, specifically the holder of the CA private key (and its password, if it
> +is password encrypted), holds broad control over hosts and user accounts set
> +up in this way. Should the CA private key become compromised, all user
> +accounts become compromised.
> +
> +There is no way to revoke a certificate once it has been published, the
> +certificate is valid until it reaches the expiry date set by the CA.
This fix is in the bag once authorized_keys gets consulted even for
certificates.
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
More information about the openssh-unix-dev
mailing list