1

SSH certificates are a recent addition to the protocol, and I see them as being used mostly for the clients.

Can the server use an SSH certificate too?

And if so, is it possible to have mutual SSH authentication between a client and a server, all done via certificates?

SquareRootOfTwentyThree
  • 682
  • 5
  • 12
  • The certificates used by OpenSSH are not recent; it has implemented them since 5.5 in 2010 at least. But they are a nonstandard extension, so I wouldn't describe them as in 'the protocol'. They do support both host=server and user=client authentication; see [the man page](https://man.openbsd.org/ssh-keygen.1#CERTIFICATES) – dave_thompson_085 Oct 27 '20 at 08:16
  • 1
    Thanks! Could you help me understand why they are non-standard? – SquareRootOfTwentyThree Oct 27 '20 at 20:35
  • 2
    Trivially, they are nonstandard because they aren't defined in the documents that define the standard. AFAIK the OpenSSH people have never proposed them to be standardized; I don't know why not. Maybe they like having greater flexibility to change (although a standard could allow extension, as the base protocol already does), maybe they don't think there's sufficient need, maybe they even think the current scheme might be dropped (although after 10+ years that seems unlikely). No one else proposed it either; if you identify someone that you think should have, you could ask them why not. – dave_thompson_085 Oct 28 '20 at 17:27

0 Answers0