OpenSSH and X.509 Certificate Support

joviano_dias at persistent.co.in joviano_dias at persistent.co.in
Sun Mar 23 07:30:06 EST 2008


> Joviano Dias wrote:
>> As I had mentioned previously that I building a system with OpenSSH +
>> X.509
>> using the patch provided by Roumen,
>> I have to have the subject lines in my authorized keys in order to
>> authenticate clients based on the match of these subject lines.
>>
>> I wanted to authenticate all clients who were issued a client
>> certificate by
>> the CA whose CA certificate is present on the Server as I believe that
>> this
>> should be sufficient and would avoid the overhead of adding subject
>> lines
>> (to authorized_keys on the server) of each client certificate issued...
>>
>> Here is what I am considering...
>>
>> [SNIP]
>>>> Sure, if you like every client with valid certificate to login
>>>> into every logon account on the server.
>
> Did you like every client with valid and verified certificate to log
> into every logon account even as root ?

Yes i would like to implement such a scenario, as all users issued a
client certificate have root privileges and they should be able to login
into all accounts on the server with the same certificate, even root
(Don't mind clients with certificate being able to access as root.)

> If you don't like this, then you should create a map between certificate
> distinguished name or public part and logon accounts.
> Also note that authorized-keys file is such map.

I agree that this would be a good approach, however i am trying to
eliminate the need for any kind of checking of the "authorized_keys" file.
To achieve this and after analyzing the code, I had originally planned to
modify the file ssh-x509.c since this was the place where the subject
lines (of authorized_keys) are checked.
However, the checking of the key type (RSA/DSA x509-key which precedes the
subject lines for every entry in the authorized_keys file) would still be
performed if would have done this.

So in order to eliminate the checking of entire strings in
authorized_keys(key type+subject line), I figured out that I could short
circuit the function "user_key_allowed2()" in the file "auth2-pubkey.c"
(return 1 for all scenarios).

I am yet to implement this, just wanted to know if whether it would
actually work and if this approach is fine considering i don't need to
check the authorized_keys file?...

Thanks,
Joviano





More information about the openssh-unix-dev mailing list