OpenSSH Certkey (PKI)

Wolfgang S. Rupprecht wolfgang+gnus200611 at
Sat Nov 18 07:02:37 EST 2006

Daniel Lang <dl at> writes:
> In fact, it would mean, that you could abandon the authorized_keys
> file, but you would still need an "authorized_users" file, that 
> would need to contain the DN (or a similar identifier) of the user
> that matches the certificate. So not a lot is saved, but things
> may become less transparent....

The advantage of splitting the authorization / authentication is it
opens up the possibility of a single certificate being used to
identify a user over quite a large range of non-cooperating
organizations.  That way a potential user can approach the system
admin with their company-wide (or Internet-wide) certificate and the
system admin can enter that certificate into the a user's list (or
into the user's authorized_keys file etc).

I'd much rather they use the whole certificate as the test instead of
just the DN it contains.  That way, the only aspect of the PKI they
need to trust is that the key is strong enough to resist breaking.
They don't really need to trust that the DN is their true name or that
there won't be a DN name-clash a few months down the road.  They just
need to trust that the PKI works.

Wolfgang S. Rupprecht      

More information about the openssh-unix-dev mailing list