[ssh_x509] Allowing all non-revoked keys from a CA

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Sep 15 16:00:19 EEST 2013

Hi Kristian,

I'm not sure that I understand you request .

> Hello Martin,
>    I've tried every iteration of subject/DN, etc mangling and I can't
> come up with an acceptable (to me) means of managing this scenario.
> Ideally I would be able to configure X509 SSH to ignore specific
> elements of the presented cert (CN, name, email, etc) and just do CA
> and CRL verification.

Ok this is fine but ssh login access is not same as to allow access to 
some resources, web-pages and etc.

First you request "... In my application I
will issue many more keys than I revoke and updating the authorized_keys
file for every new cert+key generated somewhat defeats the purpose of the
"chain of trust" for me....."
The problem is that you did not specify details and I would like to say 
that just put certificate distinguished name(DN) in authorized keys. If 
the DN remain unchanged user could use any of key+cert pair, assuming 
that certificate is not revoked.

Next you idea is based on "...Ideally one could use a mechanism like the 
one in place for other
X.509 aware applications.  Apache httpd, various mail servers, etc all
allow the authorization of a client as long as the client presents a
cert signed by a configured CA (with an optional CRL for revocations,
of course)...."
I'm not aware about authentication in mail servers but I could remember 
well apache httpd .
May be you mean about  configuration rule to extract user name from 
X.509 certificate data.certificate data.

So far so good but is too late to use certificate information from ssh 
protocol point of view . What I mean -  the secure shell authentication 
requests contain user name (!), then method name and then data specific 
to the method. For detailed packed description see RFC 4252 .

If I rephrase you , request is to develop a new authentication process 
where login (user) name to be obtained from public key materials sent to 
the server ?


Roumen Petrov

More information about the ssh_x509 mailing list