FW: Help with CA Certificates for user authentication?

Willard Dawson wfdawson at bellsouth.net
Sat Nov 5 22:42:28 EST 2011


My apologies to the list for inadvertently taking this offline.

As info:

-----Original Message-----
From: Iain Morgan [mailto:Iain.Morgan at nasa.gov] 
Sent: Friday, November 04, 2011 8:15 PM
To: wfdawson at bellsouth.net
Subject: Re: Help with CA Certificates for user authentication?

On Fri, Nov 04, 2011 at 11:53:25 -0500, wfdawson at bellsouth.net wrote:
> 
> Thanks for the clarification. I started to suspect that I was misreading
the intent of sigs for user auth keys as I reread those articles. What got
me down the wrong path was my interpretation of the recent "what's new in
openssh" slide deck.
> 
> I care about batch mode sftp from unix systems but have to also architect
key mgt. Null passphrase private keys are mostly not acceptable in our org,
though trusting a key that has been signed by our own CA for auth, even if
there is no "user password" applied, would likely get a "pass." 
> 
> For us, the compromise position that may be acceptable would be to use
openssh CA trust applied to null passphrase user keys, tightened down to
allow specific file transfer scripts on the server side.
> 

Right, One of the advantages of using certificates is that the restrictions
are assigned at the point where the cert is generated, rather than relying
upon the user to put appropriate restrictions in an authorized_keys file.
And, you can also limit the lifetime of the cert.

> Now that I better understand the auth limitations, I know where to focus
this effort.
> 
> Thanks, again.

Glad to be of help.

--
Iain

> 
> Sent via BlackBerry by AT&T
> 
> -----Original Message-----
> From: Iain Morgan <imorgan at nas.nasa.gov>
> Date: Fri, 4 Nov 2011 09:30:43
> To: wfdawson<wfdawson at bellsouth.net>
> Cc: openssh-unix-dev at mindrot.org<openssh-unix-dev at mindrot.org>
> Subject: Re: Help with CA Certificates for user authentication?
> 
> Using certificates does not bypass the need for a passphrase. For both 
> certificate and public-key authentication, the candidate key or 
> certificate is first presented to the server to see if it will be 
> accepted. If the server is willing to accept the key or cert, you then 
> move on to the stage where an actual signature is required.
> 
> Note that just as with conventional public-key authentication, you can 
> use ssh-agent to avoid having to enter the passphrase every time.



More information about the openssh-unix-dev mailing list