Re: Host based authentication and SSH CA.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 11/06/2014 10:44 PM, Iain Morgan wrote:

On Wed, Nov 05, 2014 at 08:46:58 +0100, Peter Ankerstål wrote:

On 11/05/2014 01:09 AM, Damien Miller wrote:

On Tue, 4 Nov 2014, Peter Ankerst?l wrote:


Hi,

Im currently deploying signed host keys for my environment. Everything seems
to work fine but I have one problem with host based authentication.

Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5.

When trying to login between hosts with host-based authentication configured I
cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works
even if the public key is wrong. It should be enough to have a single
"@cert-authority" line in ssh_known_hosts right?


I don't think host-based auth has ever been properly tested with certified
keys (unfortunately, it's barely tested generally due to the difficulty of
writing a test script for it). It's entirely possible that there are bugs
there.

Please file a report at https://bugzilla.mindrot.org/ and include the
config files in question and I'll take a look when I have some time next.

-d



Thanks.

https://bugzilla.mindrot.org/show_bug.cgi?id=2305



When I submitted the patch that extended certificate support to
hostbased aiuthentication, it seemed to be working. However, it is
certainly possible that I overlooked something or that my tests were
incomplete.

A couple of initial questions come to mind:

	What pattern are you using with the @cert-authority entry?


Right now i use *


	What principals (if any) are associated with the host cert?


Right now i dont have any principals at all in the host cert.




If I recall correctly, sshd will use the FQDN when validating the key or
certificate offered by the client. Thus, if you specified any principals
for the certificate, the list must include the FQDN and the pattern for
teh @cert-authority entry needs to also match the FQDN.


When logging with key based authentication the host CA works fine.

debug1: Host 'm3' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /etc/ssh/ssh_known_hosts:1
But when doing hostbased authentication it first gives me those two lines but then tries to look for m3 specifically in ssh_known_hosts.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux