[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 certificate support


On 7/26/22 11:13, Roman Janota wrote:
Hello,

I was wondering if there is a support for authentication via X.509 certificate (as this email archive <https://archive.libssh.org/libssh/2015-03/0000000.html> suggests). If it can be done, is it possible to extract the client's certificate on the server side after a successful authentication? If so, can you please clarify which API calls to use. Thank you in advance.

Hi,
it is not possible to use X.509 certificates for authentication in libssh. There is RFC 6187 and there are patches for OpenSSH to work with raw X.509 certificates, but they were never merged into the upstream because it hugely increases attack surface:

https://roumenpetrov.info/secsh/index.html

Instead, the OpenSSH developers implemented a SSH certificates that partially work also in libssh. These are discussed in the above mentioned link, but the libssh supports them only as a opaque blobs read from files so they are usable only for the client side authentication. The server side implementation is still missing.

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.


Archive administrator: postmaster@lists.cynapses.org