PuTTY wish ssh2-openssh-certkeys

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Changes | Wishlist

summary: Support for OpenSSH certificates
class: wish: This is a request for an enhancement.
difficulty: tricky: Needs many tuits.
priority: medium: This should be fixed one day.
fixed-in: e52087719c4e185e433f7b5b1fb8383b4d910c2e (0.78)

OpenSSH has a system of certificates that it can use for authentication, under the following algorithm names:

They are described in this document.

PuTTY could usefully support using them for authentication. While the changes to the SSH protocol are trivial, the necessary modifications to the PuTTY private key file and to PuTTYgen might be a little more complicated, and host certificates would have to be integrated into PuTTY's host-key checking mechanisms.

Update, 2022-07: this is now more or less fully implemented in the snapshots, having been under development for the past three months or so, although it's not yet documented at all (notably, the syntax for CA configuration expressions is so far only documented in a source code comment in utils/cert-expr.c).

2022-08-07: now properly done, without a long list of things to clean up afterwards. Documentation done, in particular.

The sponsor and lead partner for this work was Teleport. (See also the development blog post for this feature.)


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2023-01-25 10:42:29 +0000)