openssh unix dev - Mar 2008 - Benefits of OpenSSH X.509 over key based authentication?

Hi,

 

I have some observations regarding the X.509 patch developed by Roumen
Petrov for OpenSSH available at http://roumenpetrov.info/openssh/ , I don't
understand some things here like 

1.       When certificate based authentication of the client is desired,
shouldn't it be something like what mod_ssl does in Apache where u have a CA
certificate at the server, and then the client certificate installed in the
client browser.

You do not have to update the server everytime u update the client

2.       Whereas in the case of using the OpenSSH x.509 patch, we have to
generate an id_rsa.pub file for every id_rsa (client cert +client key) file
and place append it to authorized_keys file on the server.

This means every time u generate a client cert(cert+key), you have to append
the .pub part to the server. So isn't this like key-based authentication.

3.       So, How is the practicality of this solution better than key based
authentication?

 

Regards,

Joviano Dias

Hi,

I have some observations regarding the X.509 patch developed by Roumen
Petrov for OpenSSH available at http://roumenpetrov.info/openssh/ , I don't
understand some things here like 
1. When certificate based authentication of the client is desired, shouldn't
it be something like what mod_ssl does in Apache where u have a CA
certificate at the server, and then the client certificate installed in the
client browser.
You do not have to update the server everytime u update the client
2. Whereas in the case of using the OpenSSH x.509 patch, we have to generate
an id_rsa.pub file for every id_rsa (client cert +client key) file and place
append it to authorized_keys file on the server.
This means every time u generate a client cert(cert+key), you have to append
the .pub part to the server. So isn't this like key-based authentication.
3. So, How is the practicality of this solution better than key based
authentication?

Regards,
Joviano Dias