X509 based certificate authentication in OpenSSH
Dani, Naitik
Naitik.Dani at netapp.com
Thu Jun 10 01:14:41 EST 2010
I did the following steps to create a certficate, but it does not work:
1) Client: ssh-keygen -f ca_key
2) Client: ssh-keygen -f user_key
3) Client: ssh-keygen -s ca_key -I 2 -n USER user_key.pub
4) Server: cp ca_key.pub ~/.ssh/authorized_keys
5) I tagged the entry in authorized_keys as follows with
cert-authority, is this correct:
cert-authority ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDscbUTgHMo+bryVqKHbItgd1THR4fVvjRdrDd3ZoEo
oPA8iz/AR9umzn19rAeuRIKRYUnRsslaAVnAji6Hl1To51xoKQuV63cykCM+smxqsEIO8ThG
eF/oH/HfAnpdDfZ7Lkh2n6n4ixwEygjQ0M9gnAZkyKBoq08rGp3vCZUFRCOTH3Xpdsy8kIqF
xNdYyGNyLr3RpneSGJ9V99n4UmeUkm0ofVI0BaL0aCe4t1WTHQoeAXJ USER at server1
5) Client: ssh USER at server --> it failed
What should I do with user_key-cert.pub file which gets created in step
3? Where should I copy this file?
Do I need to copy user_key/user_key.pub in ~/.ssh/ directory as
id_rsa/id_rsa.pub on the server side?
Thanks in advance.
Naitik Dani
MTS
GX Infrastructure HQ
NetApp
724-741-5153 Direct
Naitik.Dani at netapp.com
www.netapp.com
> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov]
> Sent: Monday, June 07, 2010 19:23
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
>
> On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > Hello,
> >
> > I would like to know whether OpenSSH supports x509 certificate based
> > authentication.
>
> No, although Roumen Petrov maintains a patch that adds such support.
>
> > It looks like OpenSSH has dependency on OpenSSL so does
> this mean that
> > OpeSSH also supports x509 certificate based authentication.
>
> No, OpenSSH just uses the low-level cryptographic algorithms from
> OpenSSL.
>
> >
> > If it does support, can you please point me to the necessary
> > documentation.
> >
>
> The developers have maintained a stance that the complexity of X.509
> certificates introduces an unacceptable attack surface for sshd.
> Instead, they have recently implemented an alternative certificate
> format which is much simpler to parse and thus introduces
> less risk. See
> the various man pages in OpenSSH 5.5 for more information.
>
> --
> Iain Morgan
>
More information about the openssh-unix-dev
mailing list