OpenSSH Certkey (PKI) adding CAL (online verification)

Andre Oppermann andre at
Fri Nov 17 07:58:00 EST 2006

chefren wrote:
> On 11/16/06 19:01, Daniel Hartmeier wrote:
>  > On Wed, Nov 15, 2006 at 10:47:47AM -0700, Bob Beck wrote:
>  >
>  >>So, My two cents, make it complete first. Making an archetecture
>  >>for ssh that makes it easy to add trust centrally WITHOUT MAKING IT
>  >>EASY TO REMOVE IT is irresponsible.
>  >
>  > Thank you for the rant ;)
>  >
>  > Here's the result. Adding a simple daemon that the OpenSSH servers
>  > can query (over UDP port 22) to check user keys. See the first patch
>  > chunk for details.
>  >
>  > Is this what you had in mind?
>  >
>  > Daniel
> Gentlemen,
> I fully agree with the concerns of Bob Beck and I'm happy with the 
> attention of Daniel Hartmeier. And while everything is better than SSL...
> The security and thus revocation should always be on, by default.

As soon as you configure the CAL server it is enabled.  If you don't,
well...  UNIX and especially the *BSD's are about tools, not policy.
We provide good tools to implement a wide range of sound policies.
It's up to each admin to weight the tradeoffs and implement what is
actually the most appropriate approach for their situation.

> So it's a certificate system with off-line use of certificates with 
> inherent bad revocation since you cannot revoke a certificate without 
> being on-line with the authorizing server.

If you configure online certificate verification it will fail closed.
So if there is no response, the users will be denied access.

> Or it should be an on-line (might of course be local) system where the 
> authorizing server (and hopefully a well designed backup...) is at least 
> always asked if access is OK at the beginning of a session (hopefully 
> possible to limit with time or amount of traffic or packets or or... 
> (but don't rebuild SSL!)).

Have ever tried to read the patch Daniel posted with the message you
are replying to?  Apparently not so, it would have answered all that.

> Please drop the classic "off-line" PKI scheme and present us an elegant 
> and robust on-line system.

I don't think you are in the position to make any demands here... and
most certainly not ridiculous ones.  If you really want this, then do
it yourself and post the patch.  Sounds fair, doesn't it?


More information about the openssh-unix-dev mailing list