OpenSSH and X.509 Certificate Support
Roumen Petrov
openssh at roumenpetrov.info
Wed Mar 19 07:18:08 EST 2008
Joviano Dias wrote:
> As I had mentioned previously that I building a system with OpenSSH + X.509
> using the patch provided by Roumen,
> I have to have the subject lines in my authorized keys in order to
> authenticate clients based on the match of these subject lines.
>
> I wanted to authenticate all clients who were issued a client certificate by
> the CA whose CA certificate is present on the Server as I believe that this
> should be sufficient and would avoid the overhead of adding subject lines
> (to authorized_keys on the server) of each client certificate issued...
>
> Here is what I am considering...
>
> [SNIP]
>>> Sure, if you like every client with valid certificate to login
>>> into every logon account on the server.
Did you like every client with valid and verified certificate to log
into every logon account even as root ?
If you don't like this, then you should create a map between certificate
distinguished name or public part and logon accounts.
Also note that authorized-keys file is such map.
Roumen
--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/
More information about the openssh-unix-dev
mailing list