How to set up OpenSSH to use x509 PKI for authentication?
I do not mean simply putting the public RSA key of a x.509 certificate into ~/.ssh/authorized_keys - I'm looking for a way to set up a ssh such that x.509 certificates signed by a pre-defined CA will automatically be granted access to the linked user account. RFC 6187 seems to suggest such a functionality, but I can't find any documentation on this, or whether it is implemented in OpenSSH at all.
Here's a more elaborate description of what I want to do:
- A CA ("SSH-CA") is set up
- This CA is used to sign user certificates with
keyUsage=digitalSignature(and maybe theid-kp-secureShellClientextendedKeyUsage field) - This certificate can now be used to log in on a server. The server does not require the public key being present in the
authorized_keys. Instead, it is set up to trust the SSH-CA to verify the public key and signature of the certificate (or certificate chain) and the username/UID (probably directly in thesubjectAltNamefield, or maybe using some server-side mapping) before the usual RSA authentication takes place
So, (how) can this be achieved with OpenSSH, and if it requires a patch how can client-side modifications be kept minimal?
As an alternative I guess one could also use any S/MIME certificate plus a username to email-address mapping, without requiring an own CA. The client could also still use only the private RSA key and a certificate server is used obtain a certificate from a public key, additionally offering the possibility to use PGP certificates as well (e.g. via monkeysphere) without the user requiring any knowledge about all this as long as they simply provide a public key.
If it's not natively possible, I guess I could come up with a semi-automatic "implementation" of this by letting a script on the server automatically check a somehow else submitted certificate via openssl (or gnupg) and have the public key be put to the respective user's authorized_keys file - although at that point I am probably more or less re-doing the monkeyshere project...
