OpenSSH and X.509 Certificate Support

sankalp_karpe sankalp_karpe at persistent.co.in
Fri Mar 14 15:54:58 EST 2008


Hi Roumen,

I discovered that the need of appending the .pub part of id_rsa(client 
key+cert) on the server can be eliminated by adding the Certificate Blob 
to authorized_keys which could look something like this:

x509v3-sign-rsa subject= 
/C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com

This is extracted from the client certificate using openssl as described 
in the README file provided by you at 
http://roumenpetrov.info/openssh/x509h/README.x509v3

This system works fine, however my only concern is that I would like all 
Clients (possessing a valid Client-Certifcates signed by the CA) to be 
authenticated without having to place anything in the 
~/.ssh/authorized_keys file on the server.(i.e authenticate all users if 
they have a valid certificate without any subject line checking).

In Apache this is very much possible via mod_ssl as described in 
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 .
Can a similar behavior be emulated in OpenSSH using the X.509 patch?

Please let me know your comments.

Thanks and Best Regards,
Sankalp


More information about the openssh-unix-dev mailing list