[ssh_x509] Public Key Authentication

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Dec 6 09:16:53 EET 2012

Hi Roumen, thank you for that information,
First answer is that multiple requred authentification is fine, but we want to stop using password, just cerfificate from our smart card witch we use it to logon to windows 7 machines. That certificate( public keys) works well for authentification onto ssh server. I agree to you that superuser always can impersonate other user but we audit this action and alert it. We don't audit direct logon and changing in any way of authorized_keys. If we do this will be maybe to late, user will directly login as somebody else.

So our x509  certificate contains principal naime with contain our uid at domain. We can add just uid attribute witch contains username, you just need to be abble to read this and match it to username we provide when we i initiate ssh login.

Kind regards, 


On 5. 12. 2012., at 00:02, Roumen Petrov <openssh at roumenpetrov.info> wrote:

> Hi Goran,
> Goran Sustek wrote:
>> [SNIP]
>> Public key authentification need another mehanism for maping user.
>> openssh protocol expect SSH_MSG_USERAUTH_REQUEST message, so like i
>> demonstrate in first post we can isely impoersonate someone during ssh
>> logon if we copy authkeyz to impersonate user home directory.   With
>> only user/passwors authenification this same impersonation require to
>> know user password...
> Next OpenSSH version finally will support "multiple required authentications".
> By example server could require first public key and then password authentication to complete successfully.
> May be this will resolve you case only for "direct" logon .
>> So can we somehow patch opensssh source code to read from X509v3
>> certificate only CN or principal name or something we want and pair
>> with username we provide when we try to ssh. And if this not mach, we
>> abort logon.
> May be if X.509 certificate contain as extension element user identifier (uid) server could be patched to require exact match to allow logon.
> UID is defined as attribute of posix account in nis schema .
> [SNIP]
> No one of above could stop super user to "impersonate" as other user.
> Roumen Petrov

More information about the ssh_x509 mailing list