NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0243:  SSH Key-Based Authentication

Publication Date

Protection Profiles

Other References

Issue Description

FIA_UAU.5.1 provides a selection for authentication based on X.509 certificates. The default implementation of OpenSSH does not provide capabilities for x.509 authentication. While it is not a mandatory inclusion, many end-users will chose to disable password authentication in favor of using SSH Keys.


FIA_UAU.5.1 is updated as follows to allow the use of SSH keys:

FIA_UAU.5 Multiple Authentication Mechanisms
The OS shall provide the following authentication mechanisms


authentication based on user name and password,
authentication based on user name and a PIN that releases
an asymmetric key stored in OE-protected storage,
authentication based on X.509 certificates,

for use in SSH only, SSH public key-based authentication as specified by the Extended Package for Secure Shell


] to support user authentication.


 Application Note:


The "for use in SSH only, SSH public key-based authentication as specified by the Extended Package for Secure Shell" selection can only be included, and must be included, if FTP_ITC_EXT.1.1 selects "SSH as conforming to the Extended Package for Secure Shell".


Operating systems, like other technologies, should be allowed to support public key authentication without X.509 certificates for SSH.

Site Map              Contact Us              Home