NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0243:  SSH Key-Based Authentication

Publication Date
2017.10.03

Protection Profiles
PP_OS_V4.1

Other References
FIA_UAU.5.1

Issue Description

FIA_UAU.5.1 provides a selection for authentication based on X.509 certificates. The default implementation of OpenSSH does not provide capabilities for x.509 authentication. While it is not a mandatory inclusion, many end-users will chose to disable password authentication in favor of using SSH Keys.

Resolution

FIA_UAU.5.1 is updated as follows to allow the use of SSH keys:

FIA_UAU.5 Multiple Authentication Mechanisms
The OS shall provide the following authentication mechanisms
[selection:

 

authentication based on user name and password,
authentication based on user name and a PIN that releases
an asymmetric key stored in OE-protected storage,
authentication based on X.509 certificates,

for use in SSH only, SSH public key-based authentication as specified by the Extended Package for Secure Shell

 

] to support user authentication.

 

 Application Note:

 

The "for use in SSH only, SSH public key-based authentication as specified by the Extended Package for Secure Shell" selection can only be included, and must be included, if FTP_ITC_EXT.1.1 selects "SSH as conforming to the Extended Package for Secure Shell".

Justification

Operating systems, like other technologies, should be allowed to support public key authentication without X.509 certificates for SSH.

 
 
Site Map              Contact Us              Home