[ssh_x509] Public Key Authentication

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Dec 5 01:02:10 EET 2012


Hi Goran,

Goran Sustek wrote:
> [SNIP]
>
> Public key authentification need another mehanism for maping user.
> openssh protocol expect SSH_MSG_USERAUTH_REQUEST message, so like i
> demonstrate in first post we can isely impoersonate someone during ssh
> logon if we copy authkeyz to impersonate user home directory.   With
> only user/passwors authenification this same impersonation require to
> know user password...
Next OpenSSH version finally will support "multiple required 
authentications".
By example server could require first public key and then password 
authentication to complete successfully.
May be this will resolve you case only for "direct" logon .


> So can we somehow patch opensssh source code to read from X509v3
> certificate only CN or principal name or something we want and pair
> with username we provide when we try to ssh. And if this not mach, we
> abort logon.

May be if X.509 certificate contain as extension element user identifier 
(uid) server could be patched to require exact match to allow logon.
UID is defined as attribute of posix account in nis schema .

[SNIP]

No one of above could stop super user to "impersonate" as other user.

Roumen Petrov





More information about the ssh_x509 mailing list