On 3/2/21 3:49 PM, Nico Williams wrote:
On Tue, Mar 02, 2021 at 03:23:24PM -0800, Michael Thomas wrote:
So I just looked up ssh certificates which I think somebody mentioned. This
is a prime example of throwing needless complexity at a problem. If you just
added the user's public keys to, say, an LDAP repo, you get the scaling they
In the 80s the naive assumption was made that we'd have "white pages" --
directories -- where we could do such lookups. I think that's what you
have in mind since you refer to an "LDAP repo".
That did not work, and cannot work because it has privacy issues, at
least when you do lookups _by name_.
Now, maybe you have something different in mind.
I'm talking about the server side sshd just fetching the associated ssh
keys with the user trying to log in, maybe with some authz sprinkled in
for finer granularity. It could be LDAP, it could whatever you want. I
don't know how configurable sshd is, so that might limit your choices.
The authenticating party presents a directory name, a public key, and a
signature, and the RP looks up the key in the directory to get a name?
That might not have privacy issues, but it still requires online infra
that someone has to pay for, and that RPs need to contact (so they need
to do async I/O, naturally). More things to break.
And, of course, LDAP is insanely complex and brings X.500 naming right
back into the picture completely unnecessarily (along with ASN.1,
naturally).
I'm just using LDAP as an example of a well known corpro directory. It
could be anything. It just needs to be something online that can store
the name public key(s) binding so that the sshd can see if they should
allow that user/key to log in.
claim to be solving for, and avoid all of the needless complexity of issuing
certs and installing them on the client. The client ssh doesn't need to do
anything different as bonus. With LDAP you get the added bonus that it can
The client is also a relying party though, since it has to authenticate
the server.
If you care about that, I suppose. I think most people do the leap of
faith and known_hosts ignores the problem.
dish out attributes for things like roles and permissions, which would be a
giant headache if it had to be done with reissued certs every time your role
or permission changed.
Certificates are infinitely easier. Now, you mention "the needless
complexity of issuing certs and installing them on the [authenticating
party]". But that's not so complex. You can run an online CA that
issues short-lived client certificates based on a longer-lived
credential, and that and "installing" the certificates (and private
keys) are purely internal details that users shouldn't need to know.
That works for corporate networks, but it should work for a home network
too. For a Mesh-like scheme you're really going to need long-lived
(forever) device public keys and revoke them only in the sense of
removing the public keys from Alice's other devices, and there is a
directory in Mesh case, but it's purely local (just Alice's devices,
which should be few enough that the whole thing scales fine).
I don't see how doing nothing at all on the client can be "infinitely
easier" than doing a lot of something else. Every company large enough
to care about scaling authorized_keys is going to have some sort of
employee directory system, so that complexity is baked in. And a
directory based system doesn't suffer from the revocation problem
either: if I lose my phone, I can just go and delete it as one of my
devices. On the server side it's six of one, half dozen of the other:
it's just configuration that is baked with chef or puppet when it's
brought up.
I'm trying to think of major things that use public key authentication.
There's TLS with certs, DKIM using raw public keys, and SSH mainly using raw
public keys. Am I missing anything else that is widely deployed? DNSsec and
BGP are still pretty skimpy from what I can tell.
Kerberos, with PKINIT. Mosh? But note that SSH, TLS, and Kerberos (or,
rather, GSS-API) covers... a lot of protocols -- practically all
Internet protocols.
Is anybody using PKINIT?
Mike