On Wed, 21 Sep 2022, Jason Pyeron wrote: > Recent posts here [1] and one of my engineers brought up certificate authentication topics at the same time, sorry for the necromancing. > > > -----Original Message----- [2] > > From: Iain Morgan > > Sent: Monday, June 7, 2010 7:23 PM > > > > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote: > > > Hello, > > > > > > I would like to know whether OpenSSH supports x509 certificate based > > > authentication. > > > > No, although Roumen Petrov maintains a patch that adds such support. > > I assume this is referring to RFC 6187. > > <snip/> > > > The developers have maintained a stance that the complexity of X.509 > > certificates introduces an unacceptable attack surface for sshd. > > Is this still the case? Reading PROTOCOL.certkeys [3], the preamble > has not changed since 2010. Yes, still the case. X.509 and the associated PKI are too syntactically, semantically and operationally complex for us to trust. > What could possibly allow for discussion on this topic (goal is to > add RFC 6187 support and NOT fork - tired of being brow beat with but > commercial versions do it)? We don't have any desire to support X.509 certificates in OpenSSH, sorry. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
