Hi, There are a few minor tweaks I would like to suggest regrading the recently added TrustedUserCAKeys section in sshd_config(5). TrustedUserCAKeys Specifies a file containing public keys of certificate authorities that are trusted sign user certificates for authentication. Keys are listed one per line, empty lines and comments starting with '#' are allowed. If a cer- tificate is presented for authentication and has its signing CA key listed in this file, then it may be used for authentication for any user listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using TrustedUserCAKeys. For more details in certificates, please see the CERTIFICATES section in ssh-keygen(1). Replace "trusted sign user" with "trusted to sign user." Also, the next sentence should probably be split into two sentences to avoid a run-on: "Keys are listed one per line. Empty lines and comments..." Lastly, "more details in certificates" should be "more details on certificates." -- Iain Morgan
On Thu, 4 Mar 2010, Iain Morgan wrote:> Hi, > > There are a few minor tweaks I would like to suggest regrading the > Trecently added rustedUserCAKeys section in sshd_config(5). > > TrustedUserCAKeys Specifies a file containing public keys of > certificate authorities that are trusted sign user certificates > for authentication. Keys are listed one per line, empty lines > and comments starting with '#' are allowed. If a cer- tificate > is presented for authentication and has its signing CA key > listed in this file, then it may be used for authentication > for any user listed in the certificate's principals list. Note > that certificates that lack a list of principals will not be > permitted for authentication using TrustedUserCAKeys. For more > details in certificates, please see the CERTIFICATES section in > ssh-keygen(1). > > Replace "trusted sign user" with "trusted to sign user." Also, the > next sentence should probably be split into two sentences to avoid a > run-on: "Keys are listed one per line. Empty lines and comments..." > Lastly, "more details in certificates" should be "more details on > certificates."Jason McIntyre (manpage whacker supreme) already found and fixed these :) -d
Possibly Parallel Threads
- Using multiple certificates for a given private key
- would it be possible to extend TrustedUserCAKeys so that certain keys could not be used to authenticate a particular user?
- ssh certificate usage
- SSH certificates - restricting to host groups
- client host certificates and receiving host configuration