On 3/2/21 4:23 PM, Nico Williams wrote:
I'm talking about the server side sshd just fetching the associated ssh keys
with the user trying to log in, maybe with some authz sprinkled in for finer
granularity. It could be LDAP, it could whatever you want. I don't know how
configurable sshd is, so that might limit your choices.
I wouldn't want to do this. It's much more complex than the client
sending a certificate.
Huh? It's a bit of configuration on the server side that is probably
captured in provisioning systems. And client provisioning -- which is
what certs imply -- is extremely problematic. How do I get a client ssh
cert onto my phone's ssh app, for example? Not having to change client
behavior or provisioning significantly simplifies the problem.
And getting their public key(s) (they will almost certainly have more
than one, and many ephemeral) into the directory is the equivalent of
getting a certificate issued. So you're not saving anything, and you're
adding complexity, and if you're using LDAP you're not even getting rid
of x.500 or ASN.1.
Not having to do anything at all on the client is a significant savings.
I would much rather the help desk cost of nothing different than taking
calls on how to install the ssh certs on exotic and not so exotic clients.
If you care about that, I suppose. I think most people do the leap of faith
and known_hosts ignores the problem.
I very much care about that. Certainly in a corporate network.
It's orthogonal to the client side authentication problem though.
I don't see how doing nothing at all on the client can be "infinitely
easier" than doing a lot of something else. [...]
It's not nothing. New keys? Update the directory. Same complexity as
getting keys certified, only worse because the online CA only needs to
be online when you want new keys / certs, but the directory has to be
online any time you want to use those keys.
Uploading a new public keys is the ~same for both. Downloading a client
cert is a whole lot of something. And if your corpro directory is down,
you are already in a world of hurt. The advantage of offline
verification in the age of 24/7 internet is very niche.
Is anybody using PKINIT?
Yes.
Where? In any volume?
Mike
