X509 based certificate authentication in OpenSSH

Iain Morgan imorgan at nas.nasa.gov
Tue Jun 8 09:22:52 EST 2010

On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> Hello,
> I would like to know whether OpenSSH supports x509 certificate based
> authentication.

No, although Roumen Petrov maintains a patch that adds such support.

> It looks like OpenSSH has dependency on OpenSSL so does this mean that
> OpeSSH also supports x509 certificate based authentication.

No, OpenSSH just uses the low-level cryptographic algorithms from

> If it does support, can you please point me to the necessary
> documentation. 

The developers have maintained a stance that the complexity of X.509
certificates introduces an unacceptable attack surface for sshd.
Instead, they have recently implemented an alternative certificate
format which is much simpler to parse and thus introduces less risk. See
the various man pages in OpenSSH 5.5 for more information.

Iain Morgan

More information about the openssh-unix-dev mailing list