[ssh_x509] Allowing all non-revoked keys from a CA

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Sep 6 16:01:07 EEST 2013

Hi Kristian,

do I understand correctly: You are talking about one account to which
all users should be able to log in? Then, you could issue all
certificates with the same CN, so they are all allowed to log into that
account. The CRLs refer to the serial number, not to the CN, so you can
revoke them separately. Depending on the CA software you could probably
put the name of the person into a different field which is not included
in the certificate (just as an information for you, which certificate
you have issued to whom, in case you want to revoke a specific one). Or,
if you are running the CA, you can manage a separate list of serial
numbers and names/email-addresses, just to keep track of the serial
numbers so that you know which one to revoke.

If I misunderstood the last paragraph of your previous mail, then there
is a slight difference between X.509 aware ssh and apache for instance:
with apache you only check if the client presents a valid certificate,
but apache normally shows the same content to all users. If there is a
wiki or cms or something running below, it is up to that software, to
present different content depending on the context (CN of the client
cert). Some web applications may be able to create users on-demand in a
database... there are many different scenarios you could think of. But
on a linux box or a cluster or where ever the X.509-sshd is running, you
have pre-existing user accounts, with their entries in the /etc/passwd
file or LDAP, and their home directories... - well, the latter shouldn't
be the problem: you can auto-create the homedir with PAM, but somehow at
least the unix-username should be known on the system, if not in files,
then at least as an LDAP-entry... but what should be the user-name in
this case? the same as the CN string? Well, then you could also go the
other way round (compared to what I proposed in my previous mail): Most
CA software consist of a collection of scripts (OpenCA for instance uses
perl scripts), and you could add a section, which sets up the user
accounts, to the script which is responsible for issuing the
certificates (provided that your CA machine has root-access to the one
where the x509sshd is running).

best regards,

On 05.09.2013 17:24, ssh_x509 at roumenpetrov.info wrote:
> Hi Martin,
>   Ideally one could use a mechanism like the one in place for other
> X.509 aware applications.  Apache httpd, various mail servers, etc all
> allow the authorization of a client as long as the client presents a
> cert signed by a configured CA (with an optional CRL for revocations,
> of course).
>   I'm not sure how this would be configured with X.509 SSH but
> providing the CA cert that has signed all other keys as an entry in
> authorized_keys for the user could be a start.  LDAP could be a nice
> add-on but should not be necessary.
>   Essentially I'm looking for a mechanism where a CA and CRL can be
> defined and login allowed for a given user account for ALL valid
> cert+key combinations (similar to all other X.509 SSL aware
> applications).
> On Thu, Sep 5, 2013 at 3:17 AM,  <ssh_x509 at roumenpetrov.info> wrote:
>> Hello,
>> I'm just wondering how you would ensure a correct assignment to the
>> corresponding accounts. In the authorized_keys file the CN of the
>> certificate is assigned to the account for which that particular
>> certificate is valid. Therefore, I believe that you need this
>> information for the mechanism to work, and you need these files (maybe
>> I'm wrong and someone else knows a way to work around this problem).
>> However, assuming you need the authorized_keys files, you could
>> auto-generate them from the gecos-field of /etc/passwd each time you add
>> a user (or by a cron job that queries the ldap-server, depending on how
>> you manage your accounts). If you do so, it is your duty to issue them
>> with the CN matching that entry when you issue certificates.
>> Martin
>> On 05.09.2013 04:06, ssh_x509 at roumenpetrov.info wrote:
>>> Hello,
>>>   It's been over a week and I just wanted to check in to see if anyone
>>> knows how this can be accomplished.
>>> Thanks!
>>> On Sat, Aug 24, 2013 at 6:00 PM,  <ssh_x509 at roumenpetrov.info> wrote:
>>>> Hello,
>>>>   This has probably been asked before but I can't seem to find any
>>>> reference of it in my searches.
>>>>   Is there a way to define an authorized_keys that allows any non-revoked
>>>> key issued by the CA to authenticate successfully?  In my application I
>>>> will issue many more keys than I revoke and updating the authorized_keys
>>>> file for every new cert+key generated somewhat defeats the purpose of the
>>>> "chain of trust" for me.
>>>>   I've tried every combination of hacks, docs, etc that I can find or think
>>>> of to no avail.  Other than that I have everything working perfectly; what
>>>> a great project!
>>>> Thanks!
>>>> --
>>>> Kristian Kielhofner
>>>> _______________________________________________
>>>> ssh_x509 mailing list
>>>> ssh_x509 at roumenpetrov.info
>>>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>> _______________________________________________
>> ssh_x509 mailing list
>> ssh_x509 at roumenpetrov.info
>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

More information about the ssh_x509 mailing list