[ssh_x509] Allowing all non-revoked keys from a CA

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Sep 5 10:17:39 EEST 2013


Hello,

I'm just wondering how you would ensure a correct assignment to the
corresponding accounts. In the authorized_keys file the CN of the
certificate is assigned to the account for which that particular
certificate is valid. Therefore, I believe that you need this
information for the mechanism to work, and you need these files (maybe
I'm wrong and someone else knows a way to work around this problem).
However, assuming you need the authorized_keys files, you could
auto-generate them from the gecos-field of /etc/passwd each time you add
a user (or by a cron job that queries the ldap-server, depending on how
you manage your accounts). If you do so, it is your duty to issue them
with the CN matching that entry when you issue certificates.

Martin

On 05.09.2013 04:06, ssh_x509 at roumenpetrov.info wrote:
> Hello,
>
>   It's been over a week and I just wanted to check in to see if anyone
> knows how this can be accomplished.
>
> Thanks!
>
> On Sat, Aug 24, 2013 at 6:00 PM,  <ssh_x509 at roumenpetrov.info> wrote:
>> Hello,
>>
>>   This has probably been asked before but I can't seem to find any
>> reference of it in my searches.
>>
>>   Is there a way to define an authorized_keys that allows any non-revoked
>> key issued by the CA to authenticate successfully?  In my application I
>> will issue many more keys than I revoke and updating the authorized_keys
>> file for every new cert+key generated somewhat defeats the purpose of the
>> "chain of trust" for me.
>>
>>   I've tried every combination of hacks, docs, etc that I can find or think
>> of to no avail.  Other than that I have everything working perfectly; what
>> a great project!
>>
>> Thanks!
>>
>> --
>> Kristian Kielhofner
>> _______________________________________________
>> ssh_x509 mailing list
>> ssh_x509 at roumenpetrov.info
>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>
>




More information about the ssh_x509 mailing list