===== OpenSSH and X509 authentication =====

Yesterday, I notice that openssh debug messages about GSSAPI authentication,
and I thought that X509 authentication could be funny. The commercial
SSH server include this feature, but not the free one. Though, a patch is available
here ([[http://roumenpetrov.info/openssh/|X509 Authentication patch]]). My first
try was really good, it works very well, have some nice [[http://roumenpetrov.info/openssh/#features|features]] like OCSP support.

//sshd_config//  
<code>
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
# The intended use for the X509 client certificate. Without this option
# no chain verification will be done. Currently accepted uses are case
# insensitive:
#  - "sslclient", "SSL client", "SSL_client" or "client"
#  - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
#  - "skip" or ""(empty): don`t check purpose.
AllowedCertPurpose sslclient
 Specifies whether self-issued(self-signed) X.509 certificate can be
# allowed only by entry in AutorizedKeysFile that contain matching
# public key or certificate blob.
#KeyAllowSelfIssued no

# Specifies whether CRL must present in store for all certificates in
# certificate chain with atribute "cRLDistributionPoints"
#MandatoryCRL no

# A file with multiple certificates of certificate signers
# in PEM format concatenated together.
CACertificateFile /usr/local/stow/openssh-4.3p2+x509/etc/ca/ca-bundle.crt
# A directory with CRL of certificate signers.
# The CRL should have name of the form: [HASH].r[NUMBER]
# or have symbolic links to them of this form.
#CARevocationPath /usr/local/stow/openssh-4.3p2+x509/etc/ca/crl

# LDAP protocol version.
# Example:
# CAldapVersion 2

# Note because of OpenSSH options parser limitation
# use %3D instead of = !
# Example:
# CAldapURL ldap://localhost:389/dc%3Dexample,dc%3Dcom

# SSH can use "Online Certificate Status Protocol"(OCSP)
# to validate certificate. Set VAType to
#  - none    : do not use OCSP to validate certificates;
#  - ocspcert: validate only certificates that specify `OCSP
#      Service Locator' URL;
#  - ocspspec: use specified in the configuration 'OCSP Responder'
#      to validate all certificates.
VAType ocspcert
</code>

//~/ssh/config// (client side)
<code>
Host x509.asyd.net
IdentityFile ~/.ssh/asyd-private-01.pem
</code>

//~/ssh/authorized_keys// (server side)
<code>
x509v3-sign-rsa subject= /emailAddress=asyd@asyd.net/CN=Bruno Bonfils/O=asyd dot net/C=FR
</code>

If you enable the OCSP support, you should read [[http://kaoru.asyd.net/~asyd/stuff/mail-to-roumen.txt|my mail to Roumen Petrov]]

~~DISCUSSION~~