On 7/26/22 11:13, Roman Janota wrote:
Hello,
I was wondering if there is a support for authentication via X.509
certificate (as this email archive
<https://archive.libssh.org/libssh/2015-03/0000000.html> suggests). If
it can be done, is it possible to extract the client's certificate on
the server side after a successful authentication? If so, can you please
clarify which API calls to use. Thank you in advance.
Hi,
it is not possible to use X.509 certificates for authentication in
libssh. There is RFC 6187 and there are patches for OpenSSH to work with
raw X.509 certificates, but they were never merged into the upstream
because it hugely increases attack surface:
https://roumenpetrov.info/secsh/index.html
Instead, the OpenSSH developers implemented a SSH certificates that
partially work also in libssh. These are discussed in the above
mentioned link, but the libssh supports them only as a opaque blobs read
from files so they are usable only for the client side authentication.
The server side implementation is still missing.
Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.
