Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » openssh_x509

OpenSSH and X509 authentication

Yesterday, I notice that openssh debug messages about GSSAPI authentication, and I thought that X509 authentication could be funny. The commercial SSH server include this feature, but not the free one. Though, a patch is available here (X509 Authentication patch). My first try was really good, it works very well, have some nice features like OCSP support.

sshd_config 

X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
# The intended use for the X509 client certificate. Without this option
# no chain verification will be done. Currently accepted uses are case
# insensitive:
#  - "sslclient", "SSL client", "SSL_client" or "client"
#  - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
#  - "skip" or ""(empty): don`t check purpose.
AllowedCertPurpose sslclient
 Specifies whether self-issued(self-signed) X.509 certificate can be
# allowed only by entry in AutorizedKeysFile that contain matching
# public key or certificate blob.
#KeyAllowSelfIssued no

# Specifies whether CRL must present in store for all certificates in
# certificate chain with atribute "cRLDistributionPoints"
#MandatoryCRL no

# A file with multiple certificates of certificate signers
# in PEM format concatenated together.
CACertificateFile /usr/local/stow/openssh-4.3p2+x509/etc/ca/ca-bundle.crt
# A directory with CRL of certificate signers.
# The CRL should have name of the form: [HASH].r[NUMBER]
# or have symbolic links to them of this form.
#CARevocationPath /usr/local/stow/openssh-4.3p2+x509/etc/ca/crl

# LDAP protocol version.
# Example:
# CAldapVersion 2

# Note because of OpenSSH options parser limitation
# use %3D instead of = !
# Example:
# CAldapURL ldap://localhost:389/dc%3Dexample,dc%3Dcom

# SSH can use "Online Certificate Status Protocol"(OCSP)
# to validate certificate. Set VAType to
#  - none    : do not use OCSP to validate certificates;
#  - ocspcert: validate only certificates that specify `OCSP
#      Service Locator' URL;
#  - ocspspec: use specified in the configuration 'OCSP Responder'
#      to validate all certificates.
VAType ocspcert

~/ssh/config (client side) 

Host x509.asyd.net
IdentityFile ~/.ssh/asyd-private-01.pem

~/ssh/authorized_keys (server side) 

x509v3-sign-rsa subject= /emailAddress=asyd@asyd.net/CN=Bruno Bonfils/O=asyd dot net/C=FR

If you enable the OCSP support, you should read my mail to Roumen Petrov

Discussion

Bruno Bonfils, %2006/%08/%26 %19:%Aug:

A patch from Roumen himself is now available here

Bruno Bonfils, %2006/%09/%09 %19:%Sep:

Roumen updated his page the 4th september

Bruno Bonfils, %2006/%10/%18 %08:%Oct:

Please use this patch which works for all 5.x versions

Bruno Bonfils, %2007/%01/%18 %14:%Jan:

Interesting link : http://alon.barlev.googlepages.com/openssh-pkcs11