Re: Support for RFC6187

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 




On Thu, 4 May 2017, Edgar Zaiser wrote:

> Hello,
> 
> I was wondering if there?s any reason why openssh is not supporting server
> authentication using ?x509v3-rsa2048-sha256? which is defined in RFC6187?
> 
> Since it is recommended by the official document in Germany, namely
> ?BSI-TR-02102-4?, maybe it?s worth going for it?

Hi,

We consider X.509 too complex a format to support. It dramatically
multiplies attack surface, especially in the crucial pre-authentication
phase of the protocol.

There are third-party patches to add X.509 to OpenSSH:
http://roumenpetrov.info/secsh/

Alternately, OpenSSH supports a much simpler certificate format that
achieves much the same result. There are a few guides and quite a few
third-party tools to manage these (e.g. CAs).

Cheers,
Damien Miller
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux