X509 based certificate authentication in OpenSSH
Jason Pyeron
jpyeron at pdinc.us
Thu Sep 22 13:41:19 AEST 2022
Recent posts here [1] and one of my engineers brought up certificate authentication topics at the same time, sorry for the necromancing.
> -----Original Message----- [2]
> From: Iain Morgan
> Sent: Monday, June 7, 2010 7:23 PM
>
> On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > Hello,
> >
> > I would like to know whether OpenSSH supports x509 certificate based
> > authentication.
>
> No, although Roumen Petrov maintains a patch that adds such support.
I assume this is referring to RFC 6187.
<snip/>
> The developers have maintained a stance that the complexity of X.509
> certificates introduces an unacceptable attack surface for sshd.
Is this still the case? Reading PROTOCOL.certkeys [3], the preamble has not changed since 2010.
What could possibly allow for discussion on this topic (goal is to add RFC 6187 support and NOT fork - tired of being brow beat with but commercial versions do it)?
> Instead, they have recently implemented an alternative certificate
> format which is much simpler to parse and thus introduces less risk. See
> the various man pages in OpenSSH 5.5 for more information.
Respectfully,
Jason Pyeron
1: https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-September/040400.html
2: https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-June/028702.html
3: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys
--
Jason Pyeron | Architect
PD Inc | Certified SBA 8(a)
10 w 24th St | Certified SBA HUBZone
Baltimore, MD | CAGE Code: 1WVR6
.mil: jason.j.pyeron.ctr at mail.mil
.com: jpyeron at pdinc.us
tel : 202-741-9397
More information about the openssh-unix-dev
mailing list