Certificate Authfile
Our SSL base servers like SSLrshd(8) use a
set of auth files when determining whether to grant access to a resource.
The file format is backwards compatible with the /etc/ssl.users
from Tim Hudson's SSLtelnet and
/etc/ssl.users is included in the default auth file list
(/etc/ssl.deny, /etc/ssl.root, /etc/ssl.local, /etc/ssl.users,
/etc/ssl.global).
The auth file format is:
key[,key[,...]]:[-e] cert[:domain[,domain[,...]]]
where:
- cert
- is the one line distinguished name of the
certificate presented by the client. If it is preceeded by -e,
then cert is a regular expression that can match multiple
certificates. The -e is used to ensure that use of regular
expressions in matching certificates is a conscious decision of the
system administrator.
- key
- is a resource that a remote client wishes to
access. In the case of ssl_rcmd(3) it is a local user-id. If
key is ``root'' a matching certificate may access any resource
(or user-id). Generally, when cert is a regexp, it is useful
to list key as a field to extract from the client certificate.
For example, /CN= would cause any remote user to be able to access a
local resource with the same name as the CommonName field from their
certificate, any field can be selected, though the value is truncated
at the first ``@'' so that an e-mail address can be extracted as a
user-id. Note that a field value of ``root'' will never match,
any certificate which is to be granted root privileges must be
explicitly listed.
- domain
- if present, identifies a host or domain from
which a certificate which maches cert will be accepted.
Normally servers like SSLrshd, do not care where a cert is presented
from.
The exception is a host certificate, which will only be accepted from
a client whoes IP address resolves to a name which matches the domain
specified in the certificate.
See domaincmp(3) for
details. Trusting host based certificates should be avoided as they
re-introduce the possibility of IP address and DNS spoofing which make
the r* commands risky. In the real world however, host to host
transactions are a necessary evil.
When the host certficate contains a wildcard
like /CN=*.crufty.net. The domain
check can be used to limit the matches that will be accepted.
Note that we recommed against ever placing trust in a wildcard host certificate.
If a match is found in ssl.deny it means the certificate should
be denied access. Matches found in any other auth file, mean that
access should be granted - unless key is deny.
$Id: authfile.html,v 1.2 2002/11/27 06:11:51 sjg Exp $
Copyright ©
1997-2001 CRUFTY.NET