Dear List...

I have a similar question to the one that is copied below. I
am trying to get instructions for configuring OpenSSH to use PKI
based authentication.

I understand that I can provide the server with the public keys
of the client machines to get this working (one way) but the next
step is where I would like to go...

I want SSHD to authenticate my users based upon the "Root
Certificate" of "My" PKI. (Say I set it up using: ""

If the client attempting to authenticate presents a certificate
that has been:

1. signed by My_Root_CA
2. is not expired
3. is not revoked

then SSHD will proceed with the authentication of the client.

If the "client user" gets Public/private keys + certificate from
some other CA (like or the SSHD will
NOT authenticate because the certificate used was not signed by:

Can OpenSSH do this??

If not, I do not want the client user to be able to install his own
public keys. Can I put a list of accepted public keys somewhere else
(like: /etc/ssh/authorized_keys) or do I have to put them in each
users home directory and make the ~/.ssh/authorized_keys only
writable by root?

Please CC: me on the reply because I am not subscribed to this list.

Thanks in advance for your reply.
Ben Hacker Jr

-----Original Message-----
[] On
Behalf Of Gregory Seidman
Sent: Monday, February 23, 2004 5:23 PM
To: OpenSSH development list
Subject: PKI and SSH

Due to unpleasant (but arguably valid) policy changes at work, any SSH
server within the work firewall must accept only PKI authentication.
Unless we can convince the higher-ups otherwise, we will also have to
use the commercial SSH server within the firewall. Of course, I should
be able to use whatever client I like. Unfortunately, it is not clear
that I can get OpenSSH to use PKI authentication. A bit of googling
turns up a patch, but nothing too certain or clear. Does OpenSSH support
PKI authentication? If so, how do I use it?


Ben Hacker, Jr.
Sr. Security Analyst
703.751.3757 (w)
-- -- --

openssh-unix-dev mailing list