Re: OpenSSH Certkey (PKI)

To:	"Wolfgang S. Rupprecht" <wolfgang+gnus200611@dailyplanet.dontspam.wsrcc.com>
Subject:	Re: OpenSSH Certkey (PKI)
From:	Andre Oppermann <andre@freebsd.org>
Date:	Thu, 16 Nov 2006 18:55:43 +0100
Cc:	freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, tech@openbsd.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	openssh-unix-dev-list1@securepoint.com
Delivered-to:	openssh-unix-dev-tmda@mindrot.org
Delivered-to:	openssh-unix-dev@mindrot.org
In-reply-to:	<87ac2rjqaf.fsf@arbol.wsrcc.com>
List-archive:	<http://lists.mindrot.org/pipermail/openssh-unix-dev>
List-help:	<mailto:openssh-unix-dev-request@mindrot.org?subject=help>
List-id:	Development of portable OpenSSH <openssh-unix-dev.mindrot.org>
List-post:	<mailto:openssh-unix-dev@mindrot.org>
List-subscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>
List-unsubscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>
References:	<20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com> <20061116135627.GA26343@tortuga.leo.org> <87ac2rjqaf.fsf@arbol.wsrcc.com>
Sender:	openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org
User-agent:	Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050217

Wolfgang S. Rupprecht wrote:
> Daniel Lang <dl@leo.org> writes:
> 
>>Are you, by any chance, mixing up "known_hosts" and "authorized_keys"?
> 
> 
> Oops. I quoted the wrong section.  I had meant to quote the section
> about the user_certificates.  This is what I meant to cite:
> 
>      +A user certificate is an authorization made by the CA that the
>      +holder of a specific private key may login to the server as a
>      +specific user, without the need of an authorized_keys file being
>      +present. The CA gains the power to grant individual users access
>      +to the server, and users do no longer need to maintain
>      +authorized_keys files of their own.
> 
> I don't see a problem with the host certificates methodology.  (In
> fact I'd love to see the known_hosts files fade away as more hosts
> transition to using host certificates.)

Host certificate verification is separate from user authentication/authorization
through certificates.  You you can use one without using and enabling the other.

-- 
Andre

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

<Prev in Thread]	Current Thread	[Next in Thread>
OpenSSH Certkey (PKI), Daniel Hartmeier Re: OpenSSH Certkey (PKI), Andre Oppermann Message not available Re: OpenSSH Certkey (PKI), Brian Keefer Re: OpenSSH Certkey (PKI), Andre Oppermann Message not available Re: OpenSSH Certkey (PKI), Andre Oppermann Message not available Message not available Message not available Re: OpenSSH Certkey (PKI) adding CAL (online verification), Andre Oppermann Message not available Message not available Re: OpenSSH Certkey (PKI) adding CAL (online verification), Daniel Hartmeier Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht Message not available Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht Re: OpenSSH Certkey (PKI), Andre Oppermann <= Message not available Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht Re: OpenSSH Certkey (PKI), Nick Bender Message not available Re: OpenSSH Certkey (PKI), Andre Oppermann Re: OpenSSH Certkey (PKI), Stephen Frost Re: OpenSSH Certkey (PKI), Andre Oppermann

Previous by Date:	Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht
Next by Date:	Re: ssh-decrypt, Pawel Krupinski
Previous by Thread:	Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht
Next by Thread:	Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht
Indexes:	[Date] [Thread] [Top] [All Lists]