OpenSSH Certkey (PKI)
Daniel Lang
dl at leo.org
Fri Nov 17 05:29:58 PST 2006
Hi,
Wolfgang S. Rupprecht wrote on Thu, Nov 16, 2006 at 08:43:20AM -0800:
[..]
> Oops. I quoted the wrong section. I had meant to quote the section
> about the user_certificates. This is what I meant to cite:
>
> +A user certificate is an authorization made by the CA that the
> +holder of a specific private key may login to the server as a
> +specific user, without the need of an authorized_keys file being
> +present. The CA gains the power to grant individual users access
> +to the server, and users do no longer need to maintain
> +authorized_keys files of their own.
>
> I don't see a problem with the host certificates methodology. (In
> fact I'd love to see the known_hosts files fade away as more hosts
> transition to using host certificates.)
Ok, I see. A user certificate just means that the user is
authenticated, so I agree that the difference between authentication
and authorisation can be mixed up here and becomes blurred.
In fact, it would mean, that you could abandon the authorized_keys
file, but you would still need an "authorized_users" file, that
would need to contain the DN (or a similar identifier) of the user
that matches the certificate. So not a lot is saved, but things
may become less transparent....
Cheers,
Daniel
More information about the freebsd-current
mailing list