[ssh_x509] Use of authorized_key file with X509 Certificates

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Aug 13 17:36:54 EEST 2017

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> Thank you for the clarification on what exactly can be checked in the
> authorized_key file.
> Suppose PKIX-SSH did not perform any of those checks in the authorized_keys
> file and instead allowed a client to proceed if its certificate passed the
> X509_verify() against the CA cert in sshd's trust store; aside from the
> sole reliance on the CA, do you see any flaws in doing this?

Without map between distinguished name and login name every ser with 
valid certificate could logon into system with any name.

In some cases AuthorizedKeysCommand could help (dynamic generation of 
authorization) instead static information from files listed in 
AuthorizedKeysFile configuration.

> Thanks,
> Peter

Secure shell with X.509 certificate support

More information about the ssh_x509 mailing list