OpenSSH and X.509 Certificate Support
sankalp_karpe
sankalp_karpe at persistent.co.in
Fri Mar 14 15:54:58 EST 2008
Hi Roumen,
I discovered that the need of appending the .pub part of id_rsa(client
key+cert) on the server can be eliminated by adding the Certificate Blob
to authorized_keys which could look something like this:
x509v3-sign-rsa subject=
/C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com
This is extracted from the client certificate using openssl as described
in the README file provided by you at
http://roumenpetrov.info/openssh/x509h/README.x509v3
This system works fine, however my only concern is that I would like all
Clients (possessing a valid Client-Certifcates signed by the CA) to be
authenticated without having to place anything in the
~/.ssh/authorized_keys file on the server.(i.e authenticate all users if
they have a valid certificate without any subject line checking).
In Apache this is very much possible via mod_ssl as described in
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 .
Can a similar behavior be emulated in OpenSSH using the X.509 patch?
Please let me know your comments.
Thanks and Best Regards,
Sankalp
More information about the openssh-unix-dev
mailing list