[ssh_x509] PKIX-SSH question

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jun 24 00:07:39 EEST 2021

Hi Olivier ,

ssh_x509 at roumenpetrov.info wrote:
> Hi,
> I have been trying to figure out how to have a SSH host validate a user's
> certificate against a trusted CA. I have managed to make the certificate
> authentication work by adding the user's certificate (signed by the CA) to
> the authorized_keys file on the host machine. However, I would like to make
> this authentication work without needed to add the user's key to the
> authorized_keys file.
Goal of "authorized keys" is to map login(user) and identities.

> In other words, I would like the host to authenticate
> the user's certificate by verifying the certificate chain.
Verification is part of authentication. Includes validation of certificates in chain.

> Is there a way
> to enable such x509 certificate authentication?
Secure shell public key authentication requires "user name" . As part of authentication is sent identity.
Identity could be public key or certificate.
On remote side is performed match that for specified user identity is allowed. Map is "authorized keys".
For plain key in map should list key.
For X.509 certificate map could list public key ,certificate or certificate distinguished name.

> If it is possible, could
> you please detail the different steps needed to achieve this or provide a
> link to an example?
Map could be generated dynamically. For more details see AuthorizedKeysCommand and token %u (user name).
So if from user name could be generated certificate "distinguished name" it will be possible to do some generalization in authentication process.

> Thank you,
> Olivier Levasseur

Roumen Petrov

More information about the ssh_x509 mailing list