Benefits of OpenSSH X.509 over key based authentication?
Joviano Dias
joviano_dias at persistent.co.in
Mon Mar 10 18:56:47 EST 2008
Hi,
I have some observations regarding the X.509 patch developed by Roumen
Petrov for OpenSSH available at http://roumenpetrov.info/openssh/ , I don't
understand some things here like
1. When certificate based authentication of the client is desired,
shouldn't it be something like what mod_ssl does in Apache where u have a CA
certificate at the server, and then the client certificate installed in the
client browser.
You do not have to update the server everytime u update the client
2. Whereas in the case of using the OpenSSH x.509 patch, we have to
generate an id_rsa.pub file for every id_rsa (client cert +client key) file
and place append it to authorized_keys file on the server.
This means every time u generate a client cert(cert+key), you have to append
the .pub part to the server. So isn't this like key-based authentication.
3. So, How is the practicality of this solution better than key based
authentication?
Regards,
Joviano Dias
More information about the openssh-unix-dev
mailing list