Certificates and authorized principals

Damien Miller djm at mindrot.org
Mon May 10 12:41:57 EST 2010


Users who are interested in certificate authentication might be interested
in this change:

>  - djm at cvs.openbsd.org 2010/05/07 11:30:30
>    [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c key.c]
>    [servconf.c servconf.h sshd.8 sshd_config.5]
>    add some optional indirection to matching of principal names listed
>    in certificates. Currently, a certificate must include the a user's name
>    to be accepted for authentication. This change adds the ability to
>    specify a list of certificate principal names that are acceptable.
>    When authenticating using a CA trusted through ~/.ssh/authorized_keys,
>    this adds a new principals="name1[,name2,...]" key option.
>    For CAs listed through sshd_config's TrustedCAKeys option, a new config
>    option "AuthorizedPrincipalsFile" specifies a per-user file containing
>    the list of acceptable names.
>    If either option is absent, the current behaviour of requiring the
>    username to appear in principals continues to apply.
>    These options are useful for role accounts, disjoint account namespaces
>    and "user at realm"-style naming policies in certificates.
>    feedback and ok markus@


More information about the openssh-unix-dev mailing list