The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Monday, March 02, 2009

Using signed certificates with OpenSSH

A few months ago, I started playing around with secure certificates. I downloaded TinyCA, a simple interface to OpenSSL that's enough to run a simple certificate authority. Using that, I created a secure site (it's signed by my own certificate authority so you'll get a warning if you visit that page; if you don't want to get the warning and you trust me enough, you can install my certificate authority certificate and check the fingerprints).

Once that was done, I went further and protected a directory using signed certificates for client authentication (and you'll get a very cryptic error when you visit that link without installing the proper certificate). TinyCA makes the process painless to play around with this stuff (and for the curious, the configuration file).

Now, the recent mess with logging in via ssh got me thinking. It would be nice if we (as in, The Company) could use secure certificates to log in via ssh. Sure, we can generate key files to have password-less logins, but we have a few customers that also need ssh access, and having a secure certificate would be nice. Not only could we set the expiration date, but we could also revoke the certificate should it be become necessary (a compromised account, non-payment of bills or an employee (heaven forbid) being let go).

Now, given that TinyCA is a basic frontend to OpenSSL, and that OpenSSH uses OpenSSL, I expected OpenSSH to have support for signed certificates.

Apparently not, but there is a patch for it. This is something I need to look into.

Update on Thursday, May 18th, 2023

https://secure.conman.org/ is no longer as all my sites are now secure.

Obligatory Picture

Trying to get into the festive mood this year

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

Obligatory AI Disclaimer

No AI was used in the making of this site, unless otherwise noted.

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.