[ssh_x509] Use of authorized_key file with X509 Certificates

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Aug 12 00:47:16 EEST 2017

Hi Roumen,

Thank you for the clarification on what exactly can be checked in the
authorized_key file.

Suppose PKIX-SSH did not perform any of those checks in the authorized_keys
file and instead allowed a client to proceed if its certificate passed the
X509_verify() against the CA cert in sshd's trust store; aside from the
sole reliance on the CA, do you see any flaws in doing this?



On Fri, Aug 11, 2017 at 3:30 PM <ssh_x509 at roumenpetrov.info> wrote:

> ssh_x509 at roumenpetrov.info wrote:
> > Hi,
> >
> > When using PKIXSSH, is it possible for sshd to allow access to a client
> > presenting an X509 certificate when that client's certificate passes an
> > X509 verification with the CA certificate sshd is configured with? If so,
> > how is this configured?
> Verification is is controlled by options CACertificateFile
> CACertificateFile and etc, i.e. configuration of "X.509 store" - files
> with X.509 certificates user to build chain.
> Noting specific . It is standard way to setup Apache , PKIX-SSH, curl
> and other programs.
> > It seems that sshd checks for the presence of the client's public key in
> > the authorized_key file before moving on to the X509 verify.
> Not exactly.
> It check for line that match presented by client identity. In case of
> PKIX-SSH it could be :
> (a) plain public key
>      (record in format ssh-rsa AAAAB3Nza...)
>      In this case public part of X.509  has to match public key. Line is
> useful for compatibility.
> (b) X.509 certificate
>      (x509v3-ecdsa-sha2-nistp521 MIIHIDCCBomgAwIBAgIJIAQC.., where
> MIIHIDC... is base64 encoded certificate)
>    In this case is compare distinguished name of certificates.
> (c) distinguished name (preferred)
>      (sample: x509v3-ssh-rsa Subject: emailAddress=email at not.set,CN=SSH
> RSA test certificate(rsa_sha1),OU=SSH Testers cyrillic-АБВ-Яабв-я
> greek-ΑΒΓ-Ωαβγ-ω-3,OU=SSH Testers cyrillic-АБВ-Яабв-я
> greek-ΑΒΓ-Ωαβγ-ω-1,OU=SSH Testers cyrillic-АБВ-Яабв-я
> greek-ΑΒΓ-Ωαβγ-ω-2,O=SSH Test Team cyrillic-АБВ-Яабв-я
> greek-ΑΒΓ-Ωαβγ-ω,ST=World,C=XX)
>    In this case is compare distinguished name of certificate with name
> build from line.
> This process is like map between "user name" and
> allowed/accepted/authorized "identities".
> When matching record (line) is found then is performed verification and
> validation of certificate chain (client certificate is included).
> > Thanks,
> >
> > Peter
> Regards,
> Roumen
> --
> Secure shell with X.509 certificate support
> http://roumenpetrov.info/secsh/
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

More information about the ssh_x509 mailing list