X509 based certificate authentication in OpenSSH

Jason Pyeron jpyeron at pdinc.us
Thu Sep 22 13:41:19 AEST 2022


Recent posts here [1] and one of my engineers brought up certificate authentication topics at the same time, sorry for the necromancing.

> -----Original Message----- [2]
> From: Iain Morgan
> Sent: Monday, June 7, 2010 7:23 PM
> 
> On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > Hello,
> >
> > I would like to know whether OpenSSH supports x509 certificate based
> > authentication.
> 
> No, although Roumen Petrov maintains a patch that adds such support.

I assume this is referring to RFC 6187.

<snip/>

> The developers have maintained a stance that the complexity of X.509
> certificates introduces an unacceptable attack surface for sshd.

Is this still the case? Reading PROTOCOL.certkeys [3], the preamble has not changed since 2010.

What could possibly allow for discussion on this topic (goal is to add RFC 6187 support and NOT fork - tired of being brow beat with but commercial versions do it)?

> Instead, they have recently implemented an alternative certificate
> format which is much simpler to parse and thus introduces less risk. See
> the various man pages in OpenSSH 5.5 for more information.

Respectfully,


Jason Pyeron

1: https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-September/040400.html
2: https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-June/028702.html
3: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys

--
Jason Pyeron  | Architect
PD Inc        | Certified SBA 8(a)
10 w 24th St  | Certified SBA HUBZone
Baltimore, MD | CAGE Code: 1WVR6
 
.mil: jason.j.pyeron.ctr at mail.mil
.com: jpyeron at pdinc.us
tel : 202-741-9397



More information about the openssh-unix-dev mailing list