OpenSSH and X.509 Certificate Support
Peter Stuge
stuge-openssh-unix-dev at cdy.org
Thu Mar 13 12:03:24 EST 2008
On Wed, Mar 12, 2008 at 05:21:26PM +0530, sankalp_karpe wrote:
> (1) Isn't this an overhead as compared to what we would do in Web
> Server Authentication (Apache) where-in we provide the client with
> just a certificate, and not having to create a custom file
> containing the Client key+certificate (id_rsa) like we do for
> OpenSSH patched with X.509.
Disregarding the file format issue, a certificate does not make sense
if there is no private key. The certificate is just a "face" to go
with the key. If Roumen's patch doesn't already support .pem files
with key and cert I think it would be trivial to add.
> (2) If we need to have the "client key + client certificate" in
> id_rsa,
Yes, the client will always need both key and cert.
> then, is there any workaround to eliminate the need to append the
> ".pub" part of it to the "authorized_keys" file on the Server.
Here I agree with you - the administrative advantages of PKI seem to
be lost if each client's cert needs to be distributed to all servers.
But on the other hand - how will the certificate->username mapping be
done otherwise? (Each cert should only be allowed for one username.)
> (3) Also how can we authenticate clients selectively using the
> fields of the client certificate in case of OpenSSH (with X.509
> support).
Again I suspect this would be trivial to add, depending on the
criterias you would like to use.
//Peter
More information about the openssh-unix-dev
mailing list