Hello, I would like to know whether OpenSSH supports x509 certificate based authentication. It looks like OpenSSH has dependency on OpenSSL so does this mean that OpeSSH also supports x509 certificate based authentication. If it does support, can you please point me to the necessary documentation. Thanks Naitik
On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:> Hello, > > I would like to know whether OpenSSH supports x509 certificate based > authentication.No, although Roumen Petrov maintains a patch that adds such support.> It looks like OpenSSH has dependency on OpenSSL so does this mean that > OpeSSH also supports x509 certificate based authentication.No, OpenSSH just uses the low-level cryptographic algorithms from OpenSSL.> > If it does support, can you please point me to the necessary > documentation. >The developers have maintained a stance that the complexity of X.509 certificates introduces an unacceptable attack surface for sshd. Instead, they have recently implemented an alternative certificate format which is much simpler to parse and thus introduces less risk. See the various man pages in OpenSSH 5.5 for more information. -- Iain Morgan
Thanks for your responses. They really helped me in understanding. Following are the steps I did to install a self-signed certificate: 1) client: ssh-keygen -f ca_rsa 2) ssh-keygen -s ca_rsa -I 0 -n USER1 ca_rsa.pub 3) Copied the ca_rsa-cert.pub to ~/.ssh/authorized_keys file on the servers. 4) ssh USER1 [at] server Did I miss anything in the above steps? Qestions: 1) How does CA-signed certificate work in SSH? 2) Does Verisgin and other companies issue such kind of certificates? 3) What kind of input do such companies require in order to generate a CA-signed certificate. For example, SSL generates CSR and that CSR is sent out to these companies to generate CA-signed certificate. 3) What are the different options I need to use to make step 1 working? Thanks in advance. Naitik Dani MTS GX Infrastructure HQ NetApp 724-741-5153 Direct Naitik.Dani at netapp.com www.netapp.com> -----Original Message----- > From: Iain Morgan [mailto:imorgan at nas.nasa.gov] > Sent: Monday, June 07, 2010 19:23 > To: Dani, Naitik > Cc: openssh-unix-dev at mindrot.org > Subject: Re: X509 based certificate authentication in OpenSSH > > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote: > > Hello, > > > > I would like to know whether OpenSSH supports x509 certificate based > > authentication. > > No, although Roumen Petrov maintains a patch that adds such support. > > > It looks like OpenSSH has dependency on OpenSSL so does > this mean that > > OpeSSH also supports x509 certificate based authentication. > > No, OpenSSH just uses the low-level cryptographic algorithms from > OpenSSL. > > > > > If it does support, can you please point me to the necessary > > documentation. > > > > The developers have maintained a stance that the complexity of X.509 > certificates introduces an unacceptable attack surface for sshd. > Instead, they have recently implemented an alternative certificate > format which is much simpler to parse and thus introduces > less risk. See > the various man pages in OpenSSH 5.5 for more information. > > -- > Iain Morgan >
I did the following steps to create a certficate, but it does not work: 1) Client: ssh-keygen -f ca_key 2) Client: ssh-keygen -f user_key 3) Client: ssh-keygen -s ca_key -I 2 -n USER user_key.pub 4) Server: cp ca_key.pub ~/.ssh/authorized_keys 5) I tagged the entry in authorized_keys as follows with cert-authority, is this correct: cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDscbUTgHMo+bryVqKHbItgd1THR4fVvjRdrDd3ZoEo oPA8iz/AR9umzn19rAeuRIKRYUnRsslaAVnAji6Hl1To51xoKQuV63cykCM+smxqsEIO8ThG eF/oH/HfAnpdDfZ7Lkh2n6n4ixwEygjQ0M9gnAZkyKBoq08rGp3vCZUFRCOTH3Xpdsy8kIqF xNdYyGNyLr3RpneSGJ9V99n4UmeUkm0ofVI0BaL0aCe4t1WTHQoeAXJ USER at server1 5) Client: ssh USER at server --> it failed What should I do with user_key-cert.pub file which gets created in step 3? Where should I copy this file? Do I need to copy user_key/user_key.pub in ~/.ssh/ directory as id_rsa/id_rsa.pub on the server side? Thanks in advance. Naitik Dani MTS GX Infrastructure HQ NetApp 724-741-5153 Direct Naitik.Dani at netapp.com www.netapp.com> -----Original Message----- > From: Iain Morgan [mailto:imorgan at nas.nasa.gov] > Sent: Monday, June 07, 2010 19:23 > To: Dani, Naitik > Cc: openssh-unix-dev at mindrot.org > Subject: Re: X509 based certificate authentication in OpenSSH > > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote: > > Hello, > > > > I would like to know whether OpenSSH supports x509 certificate based > > authentication. > > No, although Roumen Petrov maintains a patch that adds such support. > > > It looks like OpenSSH has dependency on OpenSSL so does > this mean that > > OpeSSH also supports x509 certificate based authentication. > > No, OpenSSH just uses the low-level cryptographic algorithms from > OpenSSL. > > > > > If it does support, can you please point me to the necessary > > documentation. > > > > The developers have maintained a stance that the complexity of X.509 > certificates introduces an unacceptable attack surface for sshd. > Instead, they have recently implemented an alternative certificate > format which is much simpler to parse and thus introduces > less risk. See > the various man pages in OpenSSH 5.5 for more information. > > -- > Iain Morgan >