[ssh_x509] Allowing all non-revoked keys from a CA

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Sep 5 18:24:51 EEST 2013


Hi Martin,

  Ideally one could use a mechanism like the one in place for other
X.509 aware applications.  Apache httpd, various mail servers, etc all
allow the authorization of a client as long as the client presents a
cert signed by a configured CA (with an optional CRL for revocations,
of course).

  I'm not sure how this would be configured with X.509 SSH but
providing the CA cert that has signed all other keys as an entry in
authorized_keys for the user could be a start.  LDAP could be a nice
add-on but should not be necessary.

  Essentially I'm looking for a mechanism where a CA and CRL can be
defined and login allowed for a given user account for ALL valid
cert+key combinations (similar to all other X.509 SSL aware
applications).


On Thu, Sep 5, 2013 at 3:17 AM,  <ssh_x509 at roumenpetrov.info> wrote:
> Hello,
>
> I'm just wondering how you would ensure a correct assignment to the
> corresponding accounts. In the authorized_keys file the CN of the
> certificate is assigned to the account for which that particular
> certificate is valid. Therefore, I believe that you need this
> information for the mechanism to work, and you need these files (maybe
> I'm wrong and someone else knows a way to work around this problem).
> However, assuming you need the authorized_keys files, you could
> auto-generate them from the gecos-field of /etc/passwd each time you add
> a user (or by a cron job that queries the ldap-server, depending on how
> you manage your accounts). If you do so, it is your duty to issue them
> with the CN matching that entry when you issue certificates.
>
> Martin
>
> On 05.09.2013 04:06, ssh_x509 at roumenpetrov.info wrote:
>> Hello,
>>
>>   It's been over a week and I just wanted to check in to see if anyone
>> knows how this can be accomplished.
>>
>> Thanks!
>>
>> On Sat, Aug 24, 2013 at 6:00 PM,  <ssh_x509 at roumenpetrov.info> wrote:
>>> Hello,
>>>
>>>   This has probably been asked before but I can't seem to find any
>>> reference of it in my searches.
>>>
>>>   Is there a way to define an authorized_keys that allows any non-revoked
>>> key issued by the CA to authenticate successfully?  In my application I
>>> will issue many more keys than I revoke and updating the authorized_keys
>>> file for every new cert+key generated somewhat defeats the purpose of the
>>> "chain of trust" for me.
>>>
>>>   I've tried every combination of hacks, docs, etc that I can find or think
>>> of to no avail.  Other than that I have everything working perfectly; what
>>> a great project!
>>>
>>> Thanks!
>>>
>>> --
>>> Kristian Kielhofner
>>> _______________________________________________
>>> ssh_x509 mailing list
>>> ssh_x509 at roumenpetrov.info
>>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>>
>>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info



-- 
Kristian Kielhofner




More information about the ssh_x509 mailing list