Willard Dawson
2011-Nov-05 11:42 UTC
FW: Help with CA Certificates for user authentication?
My apologies to the list for inadvertently taking this offline. As info: -----Original Message----- From: Iain Morgan [mailto:Iain.Morgan at nasa.gov] Sent: Friday, November 04, 2011 8:15 PM To: wfdawson at bellsouth.net Subject: Re: Help with CA Certificates for user authentication? On Fri, Nov 04, 2011 at 11:53:25 -0500, wfdawson at bellsouth.net wrote:> > Thanks for the clarification. I started to suspect that I was misreadingthe intent of sigs for user auth keys as I reread those articles. What got me down the wrong path was my interpretation of the recent "what's new in openssh" slide deck.> > I care about batch mode sftp from unix systems but have to also architectkey mgt. Null passphrase private keys are mostly not acceptable in our org, though trusting a key that has been signed by our own CA for auth, even if there is no "user password" applied, would likely get a "pass."> > For us, the compromise position that may be acceptable would be to useopenssh CA trust applied to null passphrase user keys, tightened down to allow specific file transfer scripts on the server side.>Right, One of the advantages of using certificates is that the restrictions are assigned at the point where the cert is generated, rather than relying upon the user to put appropriate restrictions in an authorized_keys file. And, you can also limit the lifetime of the cert.> Now that I better understand the auth limitations, I know where to focusthis effort.> > Thanks, again.Glad to be of help. -- Iain> > Sent via BlackBerry by AT&T > > -----Original Message----- > From: Iain Morgan <imorgan at nas.nasa.gov> > Date: Fri, 4 Nov 2011 09:30:43 > To: wfdawson<wfdawson at bellsouth.net> > Cc: openssh-unix-dev at mindrot.org<openssh-unix-dev at mindrot.org> > Subject: Re: Help with CA Certificates for user authentication? > > Using certificates does not bypass the need for a passphrase. For both > certificate and public-key authentication, the candidate key or > certificate is first presented to the server to see if it will be > accepted. If the server is willing to accept the key or cert, you then > move on to the stage where an actual signature is required. > > Note that just as with conventional public-key authentication, you can > use ssh-agent to avoid having to enter the passphrase every time.
Reasonably Related Threads
- [Bug 1039] Incomplete application of HostKeyAlias in ssh
- Help with CA Certificates for user authentication?
- [Bug 1169] Enhancement request to support subnet configurations for Host configuration directive
- [Bug 1424] Cannot signal a process over a channel (rfc 4254, section 6.9)
- openssh-unix-dev Digest, Vol 123, Issue 13
Wisdom of the Ancients
