Benefits of OpenSSH X.509 over key based authentication?

Joviano Dias joviano_dias at persistent.co.in
Mon Mar 10 18:56:47 EST 2008


Hi,

 

I have some observations regarding the X.509 patch developed by Roumen
Petrov for OpenSSH available at http://roumenpetrov.info/openssh/ , I don't
understand some things here like 

1.       When certificate based authentication of the client is desired,
shouldn't it be something like what mod_ssl does in Apache where u have a CA
certificate at the server, and then the client certificate installed in the
client browser.

You do not have to update the server everytime u update the client

2.       Whereas in the case of using the OpenSSH x.509 patch, we have to
generate an id_rsa.pub file for every id_rsa (client cert +client key) file
and place append it to authorized_keys file on the server.

This means every time u generate a client cert(cert+key), you have to append
the .pub part to the server. So isn't this like key-based authentication.

3.       So, How is the practicality of this solution better than key based
authentication?

 

Regards,

Joviano Dias



More information about the openssh-unix-dev mailing list