OpenSSH and X.509 Certificate Support

joviano_dias at persistent.co.in joviano_dias at persistent.co.in
Mon Mar 17 04:46:00 EST 2008


> joviano_dias at persistent.co.in wrote:
>> Roumen,
>>
>> While using Distinguished Names in authorized_keys:
>> Is it possible that all clients possessing a valid certificate are
>> authenticated, and not just those clients who have certificates
>> containing
>> subject lines specified in authorized_keys?
>>
>> Shouldn't it be sufficient that the client certificate signature is
>> checked against the CA certificate on the server, i.e server
>> authenticating without having to perform any sort of specific
>> configuration to the server's authorized_keys file.
>
> Sure, if you like every client with valid certificate to login into
> every logon account on the server.
>
i should be able to do that,but i cant quite figure out how to do that...
right now i am using DN's in authorized keys and for every client, i need
to put the subject line of the client certificate in authorized_keys.

how do i authenticate all client's having a valid certificate, and not
just those clients possessing a valid client cert.

I tried removing all entries from authorized_keys, but the the sshd server
would not authenticate any client, even if they had a valid certificate

any idea on this?...
>
>> I know the above would be quite possible with wildcards, but is there
>> any
>> other way it can be done, that is accepting all Client Certificates
>> signed
>> by the CA whose CA certificate is present on the Server?
>>
>> -Joviano Dias
>>
>>> [SNIP]
>
>
> Roumen
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
-Joviano


More information about the openssh-unix-dev mailing list