Support for OpenSSH Certificate based authentication

[Daniel Migowski]

OpenSSH support client certificates signed by some CA (not X.509-Certificates, but their own simpler form). These certificates are great because they when created with a short validity time they can function as a temporay access token for servers. This makes handling a large number of servers and users on these servers very easy.

The certificates are described at ​http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD and should be easy to implement in the protocol, according to the putty devs (​https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ssh2-openssh-certkeys.html). I don't share their opinion that the ppk files need to be updated, but the gui should just add a field where the cert file can be added and together with a pkk file containing the key the client has all information it needs to connect to a server.

The absence of any free Windows SCP client supporting OpenSSH certificates is the only thing currently stopping me from rolling out this feature in our organization. We are willing to donate 500$ if someone finds the time to implement that.

[Tim Kosse]

I don't share their opinion that the ppk files need to be updated, but the gui should just add a field where the cert file can be added and together with a pkk file containing the key the client has all information it needs to connect to a server.

I share their opinion. It's a difficult feature to implement.

[Tim Kosse]

We are willing to donate 500$ if someone finds the time to implement that.

It's not a donation if it expects something in return.

[ethanheilman]

When this ticket was first opened in 2018 Putty did not have SSH certificate support. In 2022 Putty added SSH Certificate support. As FileZilla uses Putty as it's underlying SSH layer, adding SSH Certificate support to filezilla should be far easier now.

I want to voice my support for filezilla adding SSH certificate support.