OpenSSH and X.509 Certificate Support
Joviano Dias
joviano_dias at persistent.co.in
Wed Mar 19 02:03:18 EST 2008
As I had mentioned previously that I building a system with OpenSSH + X.509
using the patch provided by Roumen,
I have to have the subject lines in my authorized keys in order to
authenticate clients based on the match of these subject lines.
I wanted to authenticate all clients who were issued a client certificate by
the CA whose CA certificate is present on the Server as I believe that this
should be sufficient and would avoid the overhead of adding subject lines
(to authorized_keys on the server) of each client certificate issued...
Here is what I am considering...
-----Original Message-----
From: openssh-unix-dev-bounces+joviano_dias=persistent.co.in at mindrot.org
[mailto:openssh-unix-dev-bounces+joviano_dias=persistent.co.in at mindrot.org]
On Behalf Of Peter Stuge
Sent: Sunday, March 16, 2008 11:46 PM
To: OpenSSH Devel List
Subject: Re: OpenSSH and X.509 Certificate Support
On Sun, Mar 16, 2008 at 11:16:00PM +0530, joviano_dias at persistent.co.in
wrote:
> > Sure, if you like every client with valid certificate to login
> > into every logon account on the server.
>
> i should be able to do that,but i cant quite figure out how to do that...
..
> any idea on this?...
That should only need a small change to the patch.
I see that I would have to modify ssh-x509.c, however I was just wondering
if there were any configuration options available to achieve the same.
Switching between authenticating the client using "client cert subject
lines" and "without any selective authentication (no subject lines in
authorized_keys)" in authorized_keys on the server would be really good for
me.
Anyone ever did this before, or any suggestions on the same?
//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list