X509 based certificate authentication in OpenSSH

Dani, Naitik Naitik.Dani at netapp.com
Thu Jun 10 01:14:41 EST 2010

I did the following steps to create a certficate, but it does not work:

  1) Client: ssh-keygen -f ca_key
  2) Client: ssh-keygen -f user_key
  3) Client: ssh-keygen -s ca_key -I 2 -n USER user_key.pub
  4) Server: cp ca_key.pub ~/.ssh/authorized_keys
  5) I tagged the entry in authorized_keys as follows with
cert-authority, is this correct:
cert-authority ssh-rsa
xNdYyGNyLr3RpneSGJ9V99n4UmeUkm0ofVI0BaL0aCe4t1WTHQoeAXJ USER at server1  
  5) Client: ssh USER at server --> it failed

What should I do with user_key-cert.pub file which gets created in step
3? Where should I copy this file?
Do I need to copy user_key/user_key.pub in ~/.ssh/ directory as
id_rsa/id_rsa.pub on the server side?

Thanks in advance.

Naitik Dani
GX Infrastructure HQ

724-741-5153 Direct
Naitik.Dani at netapp.com


> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov] 
> Sent: Monday, June 07, 2010 19:23
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
> On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > Hello,
> > 
> > I would like to know whether OpenSSH supports x509 certificate based
> > authentication.
> No, although Roumen Petrov maintains a patch that adds such support.
> > It looks like OpenSSH has dependency on OpenSSL so does 
> this mean that
> > OpeSSH also supports x509 certificate based authentication.
> No, OpenSSH just uses the low-level cryptographic algorithms from
> OpenSSL.
> > 
> > If it does support, can you please point me to the necessary
> > documentation. 
> > 
> The developers have maintained a stance that the complexity of X.509
> certificates introduces an unacceptable attack surface for sshd.
> Instead, they have recently implemented an alternative certificate
> format which is much simpler to parse and thus introduces 
> less risk. See
> the various man pages in OpenSSH 5.5 for more information.
> -- 
> Iain Morgan

More information about the openssh-unix-dev mailing list