OpenSSH and X.509 Certificate Support

Joviano Dias joviano_dias at persistent.co.in
Wed Mar 19 02:03:18 EST 2008


As I had mentioned previously that I building a system with OpenSSH + X.509
using the patch provided by Roumen,
I have to have the subject lines in my authorized keys in order to
authenticate clients based on the match of these subject lines.

I wanted to authenticate all clients who were issued a client certificate by
the CA whose CA certificate is present on the Server as I believe that this
should be sufficient and would avoid the overhead of adding subject lines
(to authorized_keys on the server) of each client certificate issued...

Here is what I am considering...

-----Original Message-----
From: openssh-unix-dev-bounces+joviano_dias=persistent.co.in at mindrot.org
[mailto:openssh-unix-dev-bounces+joviano_dias=persistent.co.in at mindrot.org]
On Behalf Of Peter Stuge
Sent: Sunday, March 16, 2008 11:46 PM
To: OpenSSH Devel List
Subject: Re: OpenSSH and X.509 Certificate Support

On Sun, Mar 16, 2008 at 11:16:00PM +0530, joviano_dias at persistent.co.in
wrote:
> > Sure, if you like every client with valid certificate to login
> > into every logon account on the server.
> 
> i should be able to do that,but i cant quite figure out how to do that...
..

> any idea on this?...

That should only need a small change to the patch.

I see that I would have to modify ssh-x509.c, however I was just wondering
if there were any configuration options available to achieve the same.
Switching between authenticating the client using "client cert subject
lines" and "without any selective authentication (no subject lines in
authorized_keys)" in authorized_keys on the server would be really good for
me.

Anyone ever did this before, or any suggestions on the same?    

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list