X509 based certificate authentication in OpenSSH

Dani, Naitik Naitik.Dani at netapp.com
Wed Jun 9 05:54:57 EST 2010

Thanks for your responses. They really helped me in understanding. 

Following are the steps I did to install a self-signed certificate:
1) client: ssh-keygen -f ca_rsa
2) ssh-keygen -s ca_rsa -I 0 -n USER1 ca_rsa.pub
3) Copied the ca_rsa-cert.pub to ~/.ssh/authorized_keys file on the
4) ssh USER1 [at] server

Did I miss anything in the above steps?

1) How does CA-signed certificate work in SSH?
2) Does Verisgin and other companies issue such kind of certificates?
3) What kind of input do such companies require in order to generate a
CA-signed certificate.
   For example, SSL generates CSR and that CSR is sent out to these
companies to generate CA-signed certificate.
3) What are the different options I need to use to make step 1 working?

Thanks in advance.

Naitik Dani
GX Infrastructure HQ

724-741-5153 Direct
Naitik.Dani at netapp.com


> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov] 
> Sent: Monday, June 07, 2010 19:23
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
> On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > Hello,
> > 
> > I would like to know whether OpenSSH supports x509 certificate based
> > authentication.
> No, although Roumen Petrov maintains a patch that adds such support.
> > It looks like OpenSSH has dependency on OpenSSL so does 
> this mean that
> > OpeSSH also supports x509 certificate based authentication.
> No, OpenSSH just uses the low-level cryptographic algorithms from
> OpenSSL.
> > 
> > If it does support, can you please point me to the necessary
> > documentation. 
> > 
> The developers have maintained a stance that the complexity of X.509
> certificates introduces an unacceptable attack surface for sshd.
> Instead, they have recently implemented an alternative certificate
> format which is much simpler to parse and thus introduces 
> less risk. See
> the various man pages in OpenSSH 5.5 for more information.
> -- 
> Iain Morgan

More information about the openssh-unix-dev mailing list