OpenSSH and X.509 Certificate Support

Roumen Petrov openssh at roumenpetrov.info
Sun Mar 16 08:41:05 EST 2008


joviano_dias at persistent.co.in wrote:
> Roumen,
> 
> While using Distinguished Names in authorized_keys:
> Is it possible that all clients possessing a valid certificate are
> authenticated, and not just those clients who have certificates containing
> subject lines specified in authorized_keys?
> 
> Shouldn't it be sufficient that the client certificate signature is
> checked against the CA certificate on the server, i.e server
> authenticating without having to perform any sort of specific
> configuration to the server's authorized_keys file.

Sure, if you like every client with valid certificate to login into 
every logon account on the server.


> I know the above would be quite possible with wildcards, but is there any
> other way it can be done, that is accepting all Client Certificates signed
> by the CA whose CA certificate is present on the Server?
> 
> -Joviano Dias
> 
>> [SNIP]


Roumen


More information about the openssh-unix-dev mailing list