OpenSSH and X.509 Certificate Support

Peter Stuge stuge-openssh-unix-dev at cdy.org
Thu Mar 13 12:03:24 EST 2008


On Wed, Mar 12, 2008 at 05:21:26PM +0530, sankalp_karpe wrote:
> (1) Isn't this an overhead as compared to what we would do in Web
> Server Authentication (Apache) where-in we provide the client with
> just a certificate, and not having to create a custom file
> containing the Client key+certificate (id_rsa) like we do for
> OpenSSH patched with X.509.

Disregarding the file format issue, a certificate does not make sense
if there is no private key. The certificate is just a "face" to go
with the key. If Roumen's patch doesn't already support .pem files
with key and cert I think it would be trivial to add.


> (2) If we need to have the "client key + client certificate" in
> id_rsa,

Yes, the client will always need both key and cert.


> then, is there any workaround to eliminate the need to append the
> ".pub" part of it to the "authorized_keys" file on the Server.

Here I agree with you - the administrative advantages of PKI seem to
be lost if each client's cert needs to be distributed to all servers.

But on the other hand - how will the certificate->username mapping be
done otherwise? (Each cert should only be allowed for one username.)


> (3) Also how can we authenticate clients selectively using the
> fields of the client certificate in case of OpenSSH (with X.509
> support).

Again I suspect this would be trivial to add, depending on the
criterias you would like to use.


//Peter


More information about the openssh-unix-dev mailing list