Re: X.509 and ssh

"DT" == Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> writes:

DT> On 2006-02-12, Richard E. Silverman <res@xxxxxxxx> wrote:
>>>>>>> "DT" == Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> writes:
DT> There's another option not mentioned, and it is a (proposed)
DT> standard: SSH fingerprints via DNS, RFC4255. It needs a secure
DT> DNS to be useful, and only helps with known hosts, though.
>> Good point; thanks. I'm not sure what you mean by "only helps
>> with known hosts," though; could you clarify?

DT> You can't use it to centralise, eg, authorized_keys.

DT> To achieve the same effect as, eg, kerberos single sign on you
DT> would still need to distribute authorized_keys files to the
DT> relevant servers.

Oh, you mean it doesn't help with user authentication. Yes; I was only
talking about server auth.

Richard Silverman