wfdawson at bellsouth
Nov 5, 2011, 4:42 AM
Post #1 of 1
My apologies to the list for inadvertently taking this offline.
FW: Help with CA Certificates for user authentication?
From: Iain Morgan [mailto:Iain.Morgan [at] nasa]
Sent: Friday, November 04, 2011 8:15 PM
To: wfdawson [at] bellsouth
Subject: Re: Help with CA Certificates for user authentication?
On Fri, Nov 04, 2011 at 11:53:25 -0500, wfdawson [at] bellsouth wrote:
> Thanks for the clarification. I started to suspect that I was misreading
the intent of sigs for user auth keys as I reread those articles. What got
me down the wrong path was my interpretation of the recent "what's new in
openssh" slide deck.
> I care about batch mode sftp from unix systems but have to also architect
key mgt. Null passphrase private keys are mostly not acceptable in our org,
though trusting a key that has been signed by our own CA for auth, even if
there is no "user password" applied, would likely get a "pass."
> For us, the compromise position that may be acceptable would be to use
openssh CA trust applied to null passphrase user keys, tightened down to
allow specific file transfer scripts on the server side.
Right, One of the advantages of using certificates is that the restrictions
are assigned at the point where the cert is generated, rather than relying
upon the user to put appropriate restrictions in an authorized_keys file.
And, you can also limit the lifetime of the cert.
> Now that I better understand the auth limitations, I know where to focus
> Thanks, again.
Glad to be of help.
> Sent via BlackBerry by AT&T
> -----Original Message-----
> From: Iain Morgan <imorgan [at] nas>
> Date: Fri, 4 Nov 2011 09:30:43
> To: wfdawson<wfdawson [at] bellsouth>
> Cc: openssh-unix-dev [at] mindrot<openssh-unix-dev [at] mindrot>
> Subject: Re: Help with CA Certificates for user authentication?
> Using certificates does not bypass the need for a passphrase. For both
> certificate and public-key authentication, the candidate key or
> certificate is first presented to the server to see if it will be
> accepted. If the server is willing to accept the key or cert, you then
> move on to the stage where an actual signature is required.
> Note that just as with conventional public-key authentication, you can
> use ssh-agent to avoid having to enter the passphrase every time.
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot