Yesterday, I notice that openssh debug messages about GSSAPI authentication, and I thought that X509 authentication could be funny. The commercial SSH server include this feature, but not the free one. Though, a patch is available here (X509 Authentication patch). My first try was really good, it works very well, have some nice features like OCSP support.
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 # The intended use for the X509 client certificate. Without this option # no chain verification will be done. Currently accepted uses are case # insensitive: # - "sslclient", "SSL client", "SSL_client" or "client" # - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" # - "skip" or ""(empty): don`t check purpose. AllowedCertPurpose sslclient Specifies whether self-issued(self-signed) X.509 certificate can be # allowed only by entry in AutorizedKeysFile that contain matching # public key or certificate blob. #KeyAllowSelfIssued no # Specifies whether CRL must present in store for all certificates in # certificate chain with atribute "cRLDistributionPoints" #MandatoryCRL no # A file with multiple certificates of certificate signers # in PEM format concatenated together. CACertificateFile /usr/local/stow/openssh-4.3p2+x509/etc/ca/ca-bundle.crt # A directory with CRL of certificate signers. # The CRL should have name of the form: [HASH].r[NUMBER] # or have symbolic links to them of this form. #CARevocationPath /usr/local/stow/openssh-4.3p2+x509/etc/ca/crl # LDAP protocol version. # Example: # CAldapVersion 2 # Note because of OpenSSH options parser limitation # use %3D instead of = ! # Example: # CAldapURL ldap://localhost:389/dc%3Dexample,dc%3Dcom # SSH can use "Online Certificate Status Protocol"(OCSP) # to validate certificate. Set VAType to # - none : do not use OCSP to validate certificates; # - ocspcert: validate only certificates that specify `OCSP # Service Locator' URL; # - ocspspec: use specified in the configuration 'OCSP Responder' # to validate all certificates. VAType ocspcert
~/ssh/config (client side)
Host x509.asyd.net IdentityFile ~/.ssh/asyd-private-01.pem
~/ssh/authorized_keys (server side)
x509v3-sign-rsa subject= /emailAddressfirstname.lastname@example.org/CN=Bruno Bonfils/O=asyd dot net/C=FR
If you enable the OCSP support, you should read my mail to Roumen Petrov
Welcome to Bruno Bonfils's (aka asyd homepage).