Host based authentication and SSH CA.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

Im currently deploying signed host keys for my environment. Everything seems to work fine but I have one problem with host based authentication.

Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5.

When trying to login between hosts with host-based authentication configured I cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works even if the public key is wrong. It should be enough to have a single "@cert-authority" line in ssh_known_hosts right?

m1# ssh m3 -v
...
debug1: Host 'm3' is known and matches the RSA-CERT host certificate.
debug1: Found CA key in /etc/ssh/ssh_known_hosts:1
...
debug1: ssh_rsa_verify: signature correct
-----

m3# /usr/sbin/sshd -dd
...
debug3: load_hostkeys: loading entries for host "m1" from file "/etc/ssh/ssh_known_hosts" debug3: load_hostkeys: found ca key type RSA in file /etc/ssh/ssh_known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: check_key_in_hostfiles: key for host m1 not found
debug1: check_key_in_hostfiles: key for host m1 not found

Why cant I use the CA for host based auth?

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux