Recent posts here [1] and one of my engineers brought up certificate authentication topics at the same time, sorry for the necromancing. > -----Original Message----- [2] > From: Iain Morgan > Sent: Monday, June 7, 2010 7:23 PM > > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote: > > Hello, > > > > I would like to know whether OpenSSH supports x509 certificate based > > authentication. > > No, although Roumen Petrov maintains a patch that adds such support. I assume this is referring to RFC 6187. <snip/> > The developers have maintained a stance that the complexity of X.509 > certificates introduces an unacceptable attack surface for sshd. Is this still the case? Reading PROTOCOL.certkeys [3], the preamble has not changed since 2010. What could possibly allow for discussion on this topic (goal is to add RFC 6187 support and NOT fork - tired of being brow beat with but commercial versions do it)? > Instead, they have recently implemented an alternative certificate > format which is much simpler to parse and thus introduces less risk. See > the various man pages in OpenSSH 5.5 for more information. Respectfully, Jason Pyeron 1: https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-September/040400.html 2: https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-June/028702.html 3: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys -- Jason Pyeron | Architect PD Inc | Certified SBA 8(a) 10 w 24th St | Certified SBA HUBZone Baltimore, MD | CAGE Code: 1WVR6 .mil: jason.j.pyeron.ctr@xxxxxxxx .com: jpyeron@xxxxxxxx tel : 202-741-9397 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
