OpenSSH Certkey (PKI)
Andre Oppermann
andre at freebsd.org
Fri Nov 17 04:55:43 EST 2006
Wolfgang S. Rupprecht wrote:
> Daniel Lang <dl at leo.org> writes:
>
>>Are you, by any chance, mixing up "known_hosts" and "authorized_keys"?
>
>
> Oops. I quoted the wrong section. I had meant to quote the section
> about the user_certificates. This is what I meant to cite:
>
> +A user certificate is an authorization made by the CA that the
> +holder of a specific private key may login to the server as a
> +specific user, without the need of an authorized_keys file being
> +present. The CA gains the power to grant individual users access
> +to the server, and users do no longer need to maintain
> +authorized_keys files of their own.
>
> I don't see a problem with the host certificates methodology. (In
> fact I'd love to see the known_hosts files fade away as more hosts
> transition to using host certificates.)
Host certificate verification is separate from user authentication/authorization
through certificates. You you can use one without using and enabling the other.
--
Andre
More information about the openssh-unix-dev
mailing list