OpenSSH and X.509 Certificate Support

Hi Roumen,

I discovered that the need of appending the .pub part of id_rsa(client
key+cert) on the server can be eliminated by adding the Certificate Blob
to authorized_keys which could look something like this:

x509v3-sign-rsa subject=
/C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client@company.com

This is extracted from the client certificate using openssl as described
in the README file provided by you at
http://roumenpetrov.info/openssh/x509h/README.x509v3

This system works fine, however my only concern is that I would like all
Clients (possessing a valid Client-Certifcates signed by the CA) to be
authenticated without having to place anything in the
~/.ssh/authorized_keys file on the server.(i.e authenticate all users if
they have a valid certificate without any subject line checking).

In Apache this is very much possible via mod_ssl as described in
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 .
Can a similar behavior be emulated in OpenSSH using the X.509 patch?

Please let me know your comments.

Thanks and Best Regards,
Sankalp
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev