[ssh_x509] Use of authorized_key file with X509 Certificates

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Aug 11 22:30:12 EEST 2017

ssh_x509 at roumenpetrov.info wrote:
> Hi,
> When using PKIXSSH, is it possible for sshd to allow access to a client
> presenting an X509 certificate when that client's certificate passes an
> X509 verification with the CA certificate sshd is configured with? If so,
> how is this configured?
Verification is is controlled by options CACertificateFile 
CACertificateFile and etc, i.e. configuration of "X.509 store" - files 
with X.509 certificates user to build chain.
Noting specific . It is standard way to setup Apache , PKIX-SSH, curl 
and other programs.

> It seems that sshd checks for the presence of the client's public key in
> the authorized_key file before moving on to the X509 verify.

Not exactly.
It check for line that match presented by client identity. In case of 
PKIX-SSH it could be :

(a) plain public key
     (record in format ssh-rsa AAAAB3Nza...)
     In this case public part of X.509  has to match public key. Line is 
useful for compatibility.

(b) X.509 certificate
     (x509v3-ecdsa-sha2-nistp521 MIIHIDCCBomgAwIBAgIJIAQC.., where 
MIIHIDC... is base64 encoded certificate)
   In this case is compare distinguished name of certificates.

(c) distinguished name (preferred)
     (sample: x509v3-ssh-rsa Subject: emailAddress=email at not.set,CN=SSH 
RSA test certificate(rsa_sha1),OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-3,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-1,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-2,O=SSH Test Team cyrillic-АБВ-Яабв-я 
   In this case is compare distinguished name of certificate with name 
build from line.

This process is like map between "user name" and 
allowed/accepted/authorized "identities".

When matching record (line) is found then is performed verification and 
validation of certificate chain (client certificate is included).

> Thanks,
> Peter


Secure shell with X.509 certificate support

More information about the ssh_x509 mailing list