RE: X509 based certificate authentication in OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 21 Sep 2022, Jason Pyeron wrote:

> Recent posts here [1] and one of my engineers brought up certificate authentication topics at the same time, sorry for the necromancing.
> 
> > -----Original Message----- [2]
> > From: Iain Morgan
> > Sent: Monday, June 7, 2010 7:23 PM
> > 
> > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > > Hello,
> > >
> > > I would like to know whether OpenSSH supports x509 certificate based
> > > authentication.
> > 
> > No, although Roumen Petrov maintains a patch that adds such support.
> 
> I assume this is referring to RFC 6187.
> 
> <snip/>
> 
> > The developers have maintained a stance that the complexity of X.509
> > certificates introduces an unacceptable attack surface for sshd.
>
> Is this still the case? Reading PROTOCOL.certkeys [3], the preamble
> has not changed since 2010.

Yes, still the case. X.509 and the associated PKI are too syntactically,
semantically and operationally complex for us to trust.

> What could possibly allow for discussion on this topic (goal is to
> add RFC 6187 support and NOT fork - tired of being brow beat with but
> commercial versions do it)?

We don't have any desire to support X.509 certificates in OpenSSH,
sorry.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux