On 11/05/2014 01:09 AM, Damien Miller wrote:
On Tue, 4 Nov 2014, Peter Ankerst?l wrote:Hi, Im currently deploying signed host keys for my environment. Everything seems to work fine but I have one problem with host based authentication. Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5. When trying to login between hosts with host-based authentication configured I cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works even if the public key is wrong. It should be enough to have a single "@cert-authority" line in ssh_known_hosts right?I don't think host-based auth has ever been properly tested with certified keys (unfortunately, it's barely tested generally due to the difficulty of writing a test script for it). It's entirely possible that there are bugs there. Please file a report at https://bugzilla.mindrot.org/ and include the config files in question and I'll take a look when I have some time next. -d
Thanks. https://bugzilla.mindrot.org/show_bug.cgi?id=2305
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev