ssh certificate usage
Damien Miller
djm at mindrot.org
Wed Apr 28 18:40:42 EST 2010
On Wed, 28 Apr 2010, Hans wrote:
> > You can set AuthorizedKeysFile to /dev/null, so sshd will never find
> > any regular keys there. This can be done on a per-user/group/address
> > basis using the Match keyword.
>
> That is the one I missed, otherwise users could connect once using the
> certificate,
> put there plain public key in the .ssh/authorized_keys2 and remove
> their cert pub key and make connections without the restrictions.
oops, it seems I'm mistaken about selecting AuthorizedKeysFile through
Match - it isn't supported. I just filed
https://bugzilla.mindrot.org/show_bug.cgi?id=1764 to add it.
> > As you are probably aware, the certificate support is very new and I'd
> > love to hear any feedback or criticism you may have.
>
> Until so far I like it :)
> Have to check still the possible restrictions and how the ssh-agent is
> handling the cert pub keys
ssh-agent should accept add requests for certified keys and should sign
them correctly. Certified keys should be added automatically by ssh-add
if they are named XXX-cert.pub to a corresponding private key file. This
is essentially the same way that ssh(1) uses them.
-d
More information about the openssh-unix-dev
mailing list