Due to unpleasant (but arguably valid) policy changes at work, any SSH server within the work firewall must accept only PKI authentication. Unless we can convince the higher-ups otherwise, we will also have to use the commercial SSH server within the firewall. Of course, I should be able to use whatever client I like. Unfortunately, it is not clear that I can get OpenSSH to use PKI authentication. A bit of googling turns up a patch, but nothing too certain or clear. Does OpenSSH support PKI authentication? If so, how do I use it? --Greg
Gregory Seidman wrote:> Due to unpleasant (but arguably valid) policy changes at work, any SSH > server within the work firewall must accept only PKI authentication. > Unless we can convince the higher-ups otherwise, we will also have to > use the commercial SSH server within the firewall. Of course, I should > be able to use whatever client I like. Unfortunately, it is not clear > that I can get OpenSSH to use PKI authentication. A bit of googling > turns up a patch, but nothing too certain or clear. Does OpenSSH support > PKI authentication? If so, how do I use it?There were patches sent to the list a while ago to add some basic PKI functionality, for host keys IIRC. They may still apply to current version. They stalled because of lack of demand and testing. Roumen Petrov had (has?) a set of patches too. -d
Several people answered about the X.509 integration patches for OpenSSH. I wonder, do the policy changes affecting Greg require integration with a specific external PKI (e.g. MS, Verisign, Entrust), or would those policy changes be satisfied by simply using asymmetric cryptography, which is built right in to OpenSSH's ability to perform (require) authentication by pre-shared public / private key pairs? -Jay -----Original Message----- From: openssh-unix-dev-bounces+libove=felines.org at mindrot.org [mailto:openssh-unix-dev-bounces+libove=felines.org at mindrot.org] On Behalf Of Gregory Seidman Sent: Monday, February 23, 2004 5:23 PM To: OpenSSH development list Subject: PKI and SSH Due to unpleasant (but arguably valid) policy changes at work, any SSH server within the work firewall must accept only PKI authentication. Unless we can convince the higher-ups otherwise, we will also have to use the commercial SSH server within the firewall. Of course, I should be able to use whatever client I like. Unfortunately, it is not clear that I can get OpenSSH to use PKI authentication. A bit of googling turns up a patch, but nothing too certain or clear. Does OpenSSH support PKI authentication? If so, how do I use it? --Greg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Apparently Analagous Threads
- PKI and SSH (cont.)
- The specified network name is no longer available
- OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal problems
- SSH login attempts: tcpdump packet capture
- [Bug 238] sshd.pid file written AFTER key generation causes race condition