Using signed certificates with OpenSSH

A few months ago, I started playing around with secure certificates. I downloaded TinyCA [1], a simple interface to OpenSSL [2] that's enough to run a simple certificate authority [3]. Using that, I created a secure site (it's signed by my own certificate authority so you'll get a warning if you visit that page; if you don't want to get the warning and you trust me enough, you can install my certificate authority certificate and check the fingerprints).

Once that was done, I went further and protected a directory using signed certificates for client authentication (and you'll get a very cryptic error when you visit that link without installing the proper certificate). TinyCA makes the process painless to play around with this stuff (and for the curious, the configuration file [4]).

Now, the recent mess with logging in via ssh [5] got me thinking. It would be nice if we (as in, The Company) could use secure certificates to log in via ssh [6]. Sure, we can generate key files to have password-less logins, but we have a few customers that also need ssh access, and having a secure certificate would be nice. Not only could we set the expiration date, but we could also revoke the certificate should it be become necessary (a compromised account, non-payment of bills or an employee (heaven forbid) being let go).

Now, given that TinyCA is a basic frontend to OpenSSL, and that OpenSSH [7] uses OpenSSL, I expected OpenSSH to have support for signed certificates.

Apparently not, but there is a patch for it [8]. This is something I need to look into.

Update on Thursday, May 18^th, 2023

https://secure.conman.org/ is no longer as all my sites are now secure.

[1] http://tinyca.sm-zone.net/

[2] http://www.openssl.org/

[3] http://en.wikipedia.org/wiki/Certificate_Authority

[4] /boston/2009/03/02/siteconf.txt

[5] /boston/2009/02/28.1

[6] http://www.openssh.org/

[7] http://www.openssh.org/

[8] http://roumenpetrov.info/openssh/

Gemini Mention this post

Contact the author