X.509 certificates and OpenSSH

JCA 1.41421 at gmail.com
Tue Aug 14 06:01:26 EST 2012


I understand that recent versions of OpenSSH have support for X.509
certificates, in the sense that OpenSSH clients can extract the
relevant information from such certificates and use it in order to
carry out the usual public key-based authentication.

Having a quick look into the SSH RFCs, it would seem that this is the
only way in which OpenSSH supports X.509-based authentication. That
is, it all boils down to the client, not the server. The server just
gets a public key, as usual; it never knows whether it has been
extracted from an X.509 certificate, or from a run-of-the-mill OpenSSH
public key file.

Is this correct?


More information about the openssh-unix-dev mailing list