OpenSSH and X.509 Certificate Support
Roumen Petrov
openssh at roumenpetrov.info
Sun Mar 16 05:26:18 EST 2008
sankalp_karpe wrote:
> Hi Roumen,
>
> I discovered that the need of appending the .pub part of id_rsa(client
> key+cert) on the server can be eliminated by adding the Certificate Blob
> to authorized_keys which could look something like this:
>
> x509v3-sign-rsa subject=
> /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com
>
> This is extracted from the client certificate using openssl as described
> in the README file provided by you at
> http://roumenpetrov.info/openssh/x509h/README.x509v3
>
> This system works fine, however my only concern is that I would like all
> Clients (possessing a valid Client-Certifcates signed by the CA) to be
> authenticated without having to place anything in the
> ~/.ssh/authorized_keys file on the server.(i.e authenticate all users if
> they have a valid certificate without any subject line checking).
>
> In Apache this is very much possible via mod_ssl as described in
> http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 .
> Can a similar behavior be emulated in OpenSSH using the X.509 patch?
>
> Please let me know your comments.
>
> Thanks and Best Regards,
> Sankalp
http://roumenpetrov.info/openssh/#todo
- to implement wildcards(patterns) for DN in "authorized keys" and "know
hosts" files
So above is similar to apache SSLRequire. Patches are welcome.
Roumen
More information about the openssh-unix-dev
mailing list