OpenSSH Certkey (PKI)

Nick Bender nbender at
Fri Nov 17 07:12:58 EST 2006

> +
> +The CA, specifically the holder of the CA private key (and its password, if it
> +is password encrypted), holds broad control over hosts and user accounts set
> +up in this way. Should the CA private key become compromised, all user
> +accounts become compromised.
> +
> +There is no way to revoke a certificate once it has been published, the
> +certificate is valid until it reaches the expiry date set by the CA.
> +

After spending a good part of a night locking down a network when an
admin "left" this leaves me feeling cold.

I think the addition of CAL gives you at least a prayer of addressing
this in a timely manner. In the event that you need to reauthorize
from the top:

 1. Shutdown your CAL servers.
 2. Generate and distribute new CA cert.
 3. Generate and distribute new host certs.
 4. Startup CAL servers.
 5. Generate and distribute new user certs.

Did I miss anything?

The vulnerability window is now time from compromise to time of shutdown
of CAL servers.

Note that there is one other time where the same procedure is required
but without the time pressure - at CA cert expiry time.

I think the procedure should at least be included in the documentation
if not supported in some way by software...


More information about the openssh-unix-dev mailing list