Embodiments of the present invention generally relate to telecommunications and more specifically to techniques for validating public keys using AAA services for a security protocol.
Security protocols, such as the secure shell (SSH) protocol, are used to allow secure access to devices, such as routers, hosts, etc. The security protocols are used to form protected channels in which data can be exchanged between devices in a secure manner. The SSH protocol uses public keys to authenticate both servers and clients. However, SSH does not support a standard mechanism for the use of a public key infrastructure to authenticate the public keys. Thus, when a client or server wishes to validate a public key, the client or server needs to have a local copy of the public key that is bound to any other information needed to validate the key, such as an identity and any authorizations for the identity. Maintaining all of this information locally is a manual and tedious process. For example, lists of identities and public keys need to be created and further maintained for each client and server. This does not scale well when lists have to be maintained on many clients and servers.
The public key infrastructure can use a certificate authority to streamline the validation process. For example, a centralized certificate authority (CA) may use a CA certificate to sign a public key that has been bound to an identity. The certificate authority then issues a certificate that includes the binding. When this certificate is presented to an entity, only the public key for the certificate authority is needed to validate the certificate. It is then assumed that the public key in the certificate can be trusted. This is because if the entity trusts the certificate authority, then validating the certificate with the public key of the certificate authority is considered valid. However, this process includes many disadvantages. For example, some security protocols, such as SSH, do not support the use of a certificate authority in a standard way. Further, some business entities are not set up to use a certificate authority and the set up to provide support for a certificate authority may include extra processes that need to be configured and also may be costly.