Re: Host based authentication and SSH CA.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 11/07/2014 12:29 PM, Damien Miller wrote:
On Fri, 7 Nov 2014, Peter Ankerst?l wrote:

	What principals (if any) are associated with the host cert?

Right now i dont have any principals at all in the host cert.

That's likely the problem then. The principals should list the
hostname(s) of the server.

(I agree that the documentation here is terrible).

If I recall correctly, sshd will use the FQDN when validating the key or
certificate offered by the client. Thus, if you specified any principals
for the certificate, the list must include the FQDN and the pattern for
teh @cert-authority entry needs to also match the FQDN.

When logging with key based authentication the host CA works fine.

debug1: Host 'm3' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /etc/ssh/ssh_known_hosts:1

But when doing hostbased authentication it first gives me those two lines but
then tries to look for m3 specifically in ssh_known_hosts.

That's strange - I'll take a look via the bug.

-d

Im am NOT a programmer, but to me it looks like we need some sort of logic about certs around this block of code in auth2-hostbased.c:

        host_status = check_key_in_hostfiles(pw, key, lookup,
            _PATH_SSH_SYSTEM_HOSTFILE,
options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux