On 22 Sep 2022, at 05:41, Jason Pyeron <jpyeron@xxxxxxxx> wrote: >> On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote: >>> I would like to know whether OpenSSH supports x509 certificate based >>> authentication. >> >> No, although Roumen Petrov maintains a patch that adds such support. … > The developers have maintained a stance that the complexity of X.509 > certificates introduces an unacceptable attack surface for sshd. ... > Is this still the case? Reading PROTOCOL.certkeys [3], the preamble has not changed since 2010. While Petrov’s patches are splendid and (for us at least) rock and rock solid - I would add that the infrastructure it relies on is indeed not risk free. Even if one does to consult the network for OCSP or CRL. We got very nearly taken out through a SSH implementation by CVE-2012-0654 (bad X.509 ca-authority cert commonly used in the energy industry). Dw. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
