OpenSSH Certkey (PKI)

Andre Oppermann andre at freebsd.org
Fri Nov 17 04:55:43 EST 2006


Wolfgang S. Rupprecht wrote:
> Daniel Lang <dl at leo.org> writes:
> 
>>Are you, by any chance, mixing up "known_hosts" and "authorized_keys"?
> 
> 
> Oops. I quoted the wrong section.  I had meant to quote the section
> about the user_certificates.  This is what I meant to cite:
> 
>      +A user certificate is an authorization made by the CA that the
>      +holder of a specific private key may login to the server as a
>      +specific user, without the need of an authorized_keys file being
>      +present. The CA gains the power to grant individual users access
>      +to the server, and users do no longer need to maintain
>      +authorized_keys files of their own.
> 
> I don't see a problem with the host certificates methodology.  (In
> fact I'd love to see the known_hosts files fade away as more hosts
> transition to using host certificates.)

Host certificate verification is separate from user authentication/authorization
through certificates.  You you can use one without using and enabling the other.

-- 
Andre



More information about the openssh-unix-dev mailing list