ssh certificate usage

Damien Miller djm at
Wed Apr 28 18:40:42 EST 2010

On Wed, 28 Apr 2010, Hans wrote:

> > You can set AuthorizedKeysFile to /dev/null, so sshd will never find
> > any regular keys there. This can be done on a per-user/group/address
> > basis using the Match keyword.
> That is the one I missed, otherwise users could connect once using the
> certificate,
> put there plain public key in the .ssh/authorized_keys2 and remove
> their cert pub key and make connections without the restrictions.

oops, it seems I'm mistaken about selecting AuthorizedKeysFile through
Match - it isn't supported. I just filed to add it.

> > As you are probably aware, the certificate support is very new and I'd
> > love to hear any feedback or criticism you may have.
> Until so far I like it :)
> Have to check still the possible restrictions and how the ssh-agent is
> handling the cert pub keys

ssh-agent should accept add requests for certified keys and should sign
them correctly. Certified keys should be added automatically by ssh-add
if they are named to a corresponding private key file. This
is essentially the same way that ssh(1) uses them.


More information about the openssh-unix-dev mailing list