Openssh to support X509 certificates

Ian jonhson jonhson.ian at gmail.com
Mon Mar 17 16:22:58 EST 2008


On Sun, Mar 16, 2008 at 1:59 AM,  <joviano_dias at persistent.co.in> wrote:
> yes a module to provide authentication is essential as a part of released
>  OpenSSH i feel, there is also one developed by Roumen Petrov, is your PAM
>  module in anyway advantageous over that?

I don't know, but please see my following explanation.

>  A module which could do remote certificate authentication through some
>  authentication server would be even better, e.g a OpenSSH client passes
>  cert to OpenSSH server and server in turn authenticates it through a
>  remote RADIUS server!
>

I think the working of my PAM module has some similar aspect with
you had said. It does authentication at local node but it should be
configured firstly to trust some remote CA. The difference is that
PAM module can be seen as a plug-in modules for openssh to meet
different authentication modes, such as GSI and MyProxy.  And
also, it does easily change authentication modes via PAM plug-in
framework. For example, some applications currently used the
GSI as authentication mode want to change to MyProxy-based
authentication or applying both of them. it would be more easy to
accomplish this by PAM plugins.

Now, I have developed a GSI-based PAM module, and another one for
MyProxy authentication is ongoing. For my modified openssh, it is
easy to change authentication by changing the configuration in
/etc/pam.d/.

To Roumen,

> I would like to take interest in you work for proxy-certificate but only
> as extension to openssh public-key algorithm. To me is of no interest
> pam authentication.

Another point to adopt PAM module in local authentication is to deal with
user accounts. If someone who has valid certificate but has not account in
remote sshd server, can you let him/her login? How to deal with the non-existing
account?

Now the PAM-based modified openssh can accomplish these targets, which
can let any users with valid certificates can traverse around the
network trusting
to same CA and need not to pre-allocate several accounts in each
traversed nodes.



to connect with different


More information about the openssh-unix-dev mailing list