Support for OpenSSH Certificate based authentication
|Reported by:||Daniel Migowski||Owned by:|
|Component version:||Operating system type:|
|Operating system version:|
OpenSSH support client certificates signed by some CA (not X.509-Certificates, but their own simpler form). These certificates are great because they when created with a short validity time they can function as a temporay access token for servers. This makes handling a large number of servers and users on these servers very easy.
The certificates are described at http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD and should be easy to implement in the protocol, according to the putty devs (https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ssh2-openssh-certkeys.html). I don't share their opinion that the ppk files need to be updated, but the gui should just add a field where the cert file can be added and together with a pkk file containing the key the client has all information it needs to connect to a server.
The absence of any free Windows SCP client supporting OpenSSH certificates is the only thing currently stopping me from rolling out this feature in our organization. We are willing to donate 500$ if someone finds the time to implement that.