[ssh_x509] Disable Pubkey and Enable x509 Only

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Nov 7 22:27:13 EET 2018

Hi Jon,

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> I downloaded and started configuring SSH with your patch. First of all, fantastic work. This is a very well-put-together patch.
> While configuring, I've come across a question:
> Is there a way (through sshd configuration) to disable Pubkey Auth, but retain X509 auth on the ssh server?
To be more precise disabling public key authentication includes X.509 as 
There are two options PubkeyAuthentication and HostbasedAuthentication.

> Based on what I've seen, it looks like the pubkey configuration in sshd_config enables or disables both pubkey and X509 auth.

PKIX-SSH supports fine tuning by algorithm.
Respective server options are PubkeyAlgorithms and HostbasedAlgorithms.

Let user rsa identity includes X.509 certificate. It could be used in 
following algorithms:
- x509v3-sign-rsa,
- x509v3-ssh-rsa
- rsa-sha2-512,
- rsa-sha2-256,
- ssh-rsa

So if on server side options PubkeyAlgorithms uses pattern x509v3-* only 
first two will be accepted in "publickey" authentication. Last three 
(related to "plain keys") will be rejected.
The list includes a number of algorithms for "custom" certificates but 
this is supported only for compatibility purposes.
Note that option PubkeyAuthentication  has to be set to yes (this is 
value by default) otherwise "publickey" authentication mechanism is 
disabled at all.

Similar to "hostbased" authentication but let skip details for now.

There is one more recent option AcceptedAlgorithms . Option is used in 
"extension negotiation mechanism". This mechanism is part of PKIX-SSH 
adaptive algorithm selection.

Also option takes precedence over options PubkeyAlgorithms and 

I would like to propose you to set only AcceptedAlgorithms to pattern 

Let me now if you need more details how this option impacts 
authentication process and adaptive algorithm selection.

> I understand that authorized_keys file can determine x509v3-* vs standard pubkey types, but I want to limit to only X509 certificates and no plain pubkeys through configuration. Is this possible?

Purpose of authorized_keys files is different. It is more like map 
between "user identity" and "logon name".

File is per user and each entry (line) contain information for "public 
part" or "distinguished name" of user identity, where "public part" is 
public key in specific encoding and "distinguished name" is X.509 
certificate subject suitable for multi-language use.

You should not worry If you X.509 subject has only base latin characters.
Otherwise for additional details see README.x509v3 : ... openssl ... 
-nameopt ....

> I'm am using pkix-ssh 11.4 with OpenSSH 7.8p1.
> Regards,
> Jon B


More information about the ssh_x509 mailing list