OpenSSH and X.509 Certificate Support

joviano_dias at persistent.co.in joviano_dias at persistent.co.in
Sun Mar 16 08:00:13 EST 2008


Roumen,

While using Distinguished Names in authorized_keys:
Is it possible that all clients possessing a valid certificate are
authenticated, and not just those clients who have certificates containing
subject lines specified in authorized_keys?

Shouldn't it be sufficient that the client certificate signature is
checked against the CA certificate on the server, i.e server
authenticating without having to perform any sort of specific
configuration to the server's authorized_keys file.

I know the above would be quite possible with wildcards, but is there any
other way it can be done, that is accepting all Client Certificates signed
by the CA whose CA certificate is present on the Server?

-Joviano Dias

> sankalp_karpe wrote:
>> Hi Roumen,
>>
>> I discovered that the need of appending the .pub part of id_rsa(client
>> key+cert) on the server can be eliminated by adding the Certificate Blob
>> to authorized_keys which could look something like this:
>>
>> x509v3-sign-rsa subject=
>> /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com
>>
>> This is extracted from the client certificate using openssl as described
>> in the README file provided by you at
>> http://roumenpetrov.info/openssh/x509h/README.x509v3
>>
>> This system works fine, however my only concern is that I would like all
>> Clients (possessing a valid Client-Certifcates signed by the CA) to be
>> authenticated without having to place anything in the
>> ~/.ssh/authorized_keys file on the server.(i.e authenticate all users if
>> they have a valid certificate without any subject line checking).
>>
>> In Apache this is very much possible via mod_ssl as described in
>> http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 .
>> Can a similar behavior be emulated in OpenSSH using the X.509 patch?
>>
>> Please let me know your comments.
>>
>> Thanks and Best Regards,
>> Sankalp
>
>
> http://roumenpetrov.info/openssh/#todo
> - to implement wildcards(patterns) for DN in "authorized keys" and "know
> hosts" files
>
> So above is similar to apache SSLRequire. Patches are welcome.
>
> Roumen
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



More information about the openssh-unix-dev mailing list