[ssh_x509] Use of authorized_key file with X509 Certificates

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Aug 14 16:52:36 EEST 2017


Understood, thanks again Roumen!

On Sun, Aug 13, 2017 at 10:36 AM <ssh_x509 at roumenpetrov.info> wrote:

> ssh_x509 at roumenpetrov.info wrote:
> > Hi Roumen,
> >
> > Thank you for the clarification on what exactly can be checked in the
> > authorized_key file.
> >
> > Suppose PKIX-SSH did not perform any of those checks in the
> authorized_keys
> > file and instead allowed a client to proceed if its certificate passed
> the
> > X509_verify() against the CA cert in sshd's trust store; aside from the
> > sole reliance on the CA, do you see any flaws in doing this?
>
> Without map between distinguished name and login name every ser with
> valid certificate could logon into system with any name.
>
> In some cases AuthorizedKeysCommand could help (dynamic generation of
> authorization) instead static information from files listed in
> AuthorizedKeysFile configuration.
>
> > Thanks,
> >
> > Peter
> [SNIP]
> Roumen
>
> --
> Secure shell with X.509 certificate support
> http://roumenpetrov.info/secsh/
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list