[ssh_x509] Trying to understand X509 v OpenSSH certificates

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Sep 29 00:17:56 EEST 2012


ssh_x509 at roumenpetrov.info wrote:
> Hi,
>
> Thanks for your previous reply.  After reading it I realised that I may be
> very confused about X509 certificates (sorry!).  So now I have another
> question, which is about user authentication.
>
> With OpenSSH (not X509) certificates I can:
>   - Generate a signed certificate that associates the user's key pair with
>     a given identity (username).
>   - Configure the sshd on the host with the CA certificate.
>
> After this, the user can connect to the host as the given identity.  There is
> no need to modify authorized_keys on the host.
>
> Can I do this with X509 certificates?  The example I have found at
> http://forums.gentoo.org/viewtopic-t-441064.html still requires that I modify
> the authorized_keys file on the host (if I understand correctly).

Use of X.509 distinguished name is recomended but not required.


> Is it possible to use X509 in the same way as OpenSSH certificates, so that I
> do not need to modify authorized_keys?  (by using CN to specify the identity).

OpenSSH custom certificate is lame implementation of PKI.


> Thanks and sorry for the confusion / questions,
> Andrew

Roumen





More information about the ssh_x509 mailing list