OpenSSH Certkey (PKI) adding CAL (online verification)

Daniel Hartmeier daniel at
Fri Nov 17 08:03:56 EST 2006

On Thu, Nov 16, 2006 at 07:01:41PM +0100, Daniel Hartmeier wrote:

> +When Certkey user authentication fails either because no CAL server can be
> +reached or because one CAL server delivers a valid reply marking the user key
> +as invalid, the user key can still be used with other authentication methods
> +(publickey) to gain access (if found in authorized_keys).

Maybe it should be possible to enable CAL even for the traditional
publickey authentication. That would enforce an online check even if
Certkey isn't used. You could then revoke user keys and they wouldn't
work even if they're present in the traditional authorized_keys files.

Of course, if you do that and the CALs go down, the only way to login is
using passwords. You don't expect CALs to disable these, too, I hope ;)


More information about the openssh-unix-dev mailing list